[7087] in bugtraq
Re: patch for qpopper remote exploit bug
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Jun 28 16:47:50 1998
Date: Sun, 28 Jun 1998 21:02:18 +0100
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Steven Winikoff <smw@alcor.concordia.ca>
To: BUGTRAQ@NETSPACE.ORG
Steven Winikoff wrote:
> This version follows the semantics for vsnprintf() as found in
> NetBSD/386 1.2:
>
> 8<---------------------------- cut here -------------------------->8
> #include <stdarg.h>
> #include <stdio.h>
> #include <string.h>
>
> /*
> * vsnprintf() -- hacked interface, because DEC OSF/1 doesn't
> * have the real thing...
> *
> * Steven Winikoff
> * 1998/06/27
> *
> * This code is rather feeble-minded; all it does is truncate the
> * given string temporarily, call vsprintf() to "print" it, and
> * then restore the original string.
> *
> * We return whatever we got from vsprintf().
> */
>
> int vsnprintf(char *str, size_t n, const char *fmt, va_list ap)
> {
> int result;
> char c;
>
> /** do we even need to bother? **/
>
> if (strlen(str) < n) return(vsprintf(str, fmt, ap));
>
> /** okay, truncate, call vsprintf(), and restore: **/
>
> c = str[n-1];
> str[n-1] = '\0'; /* take that! :-) */
> result = vsprintf(str, fmt, ap); /* do the write thing :-) */
> str[n-1] = c; /* all better now :-) */
>
> return(result);
> }
> 8<---------------------------- cut here -------------------------->8
>
> I don't know if this is helpful at all, but I figured I should pass it
> on anyway just in case.
WTF? This doesn't even remotely do what vsnprintf() does!
BTW, Apache has an implementation of vsnprintf() that we use coz not all
platforms supply it. So long as appropriate credits are given and due
regard is paid to licensing and licence compatibility, I see no reason
why people shouldn't use it.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
