[15499] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Tue Jun 27 17:30:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <3957B440.4114A67A@enternet.se>
Date: Mon, 26 Jun 2000 21:51:28 +0200
Reply-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
From: Mikael Olsson <mikael.olsson@ENTERNET.SE>
X-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
der Mouse wrote:
>
> > Not to mention that could still be overflowable. snprintf() doesn't
> > null terminate.
>
> Then IMO it's broken - what's your reference for thinking it doesn't?
> The only snprintf manpage I have at hand (NetBSD's) says
There was quite a bit of discussion about the behavior of snprintf()
a while ago; can't quite remember on which list it was though.
The consensus was that "(default libs of) different OSes behave
completely differently", so if you want to be cross-platform
(or cross-major-version), you can't assume that snprintf() terminates.
You need to do a mystring[sizeof(mystring)-1]='\0' after the call
to be on the safe side.
And, no, this wasn't just "lame OS" standard behaviour; it differs
between different unix dialects.
I also _think_ I remember posts saying that ANSI C doesn't require
snprintf() to null terminate. (Don't quote me on that though)
$.02
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 VRNSKVLDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: mikael.olsson@enternet.se
