[7075] in bugtraq
Re: QPOPPER problem.... ONE crude patch...
daemon@ATHENA.MIT.EDU (Marco S Hyman)
Sun Jun 28 02:12:27 1998
Date: Sat, 27 Jun 1998 15:31:12 -0700
Reply-To: Marco S Hyman <marc@SNAFU.ORG>
From: Marco S Hyman <marc@SNAFU.ORG>
X-To: Daniel Ryde <ryde@TRIPNET.SE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 27 Jun 1998 18:31:05 +0200."
<Pine.LNX.3.96.980627181545.1549A-100000@hobbe.tripnet.se>
Daniel Ryde writes:
> > vsnprintf(mp,sizeof(message)-(mp - message)-3,format,ap);
>
> Dangerous, if the string is truncated it will skip the null termination,
This came up a while back. Some versions of [v]snprintf copy
size - 1 characters into str and then null terminate. Example: the
OpenBSD snprinf man page says:
Snprintf(), vsnprintf(), asnprintf() and vasnprintf() will write at most
size-1 of the characters printed into the output string (the size'th
character then gets the terminating `\0'); if the return value is greater
than or equal to the size argument, the string was too short and some of
the printed characters were discarded.
It's possible that the author is using a system with the above semantics.
People patching the code must know what their [v]snprintf does.
// marc
