[15473] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (der Mouse)
Mon Jun 26 14:18:38 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <200006251515.LAA06687@Twig.Rodents.Montreal.QC.CA>
Date: Sun, 25 Jun 2000 11:15:19 -0400
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
>> - sprintf(buf, "index %s", (char *) $6);
>> + snprintf(buf, MAXPATHLEN, "index %s", (char *) $6);
> And it is not needed, since there is a 512 char limit on network
> input and MAXPATHLEN is generally about 2K
"generally"? Can you be certain it always is? Otherwise, you need the
check...and it may be a good idea to check anyway.
> Not to mention that could still be overflowable. snprintf() doesn't
> null terminate.
Then IMO it's broken - what's your reference for thinking it doesn't?
The only snprintf manpage I have at hand (NetBSD's) says
snprintf() and vsnprintf() will write at most size-1 of the characters
printed into the output string (the size'th character then gets the ter-
minating `\0'); if the return value is greater than or equal to the size
argument, the string was too short and some of the printed characters
were discarded.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
