[15560] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Jun 29 15:35:11 2000
Message-Id: <200006290742.JAA26345@romulus.Holland.Sun.COM>
Date: Thu, 29 Jun 2000 09:42:28 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: carson@tla.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 27 Jun 2000 17:31:29 EDT."
<14681.7473.840027.523709@taltos.tla.org>
>>>>>> "Mouse" == der Mouse <mouse@RODENTS.MONTREAL.QC.CA> writes:
>
>>> Not to mention that could still be overflowable. snprintf() doesn't
>>> null terminate.
>
>Mouse> Then IMO it's broken - what's your reference for thinking it doesn't?
>Mouse> The only snprintf manpage I have at hand (NetBSD's) says
>
>The behaviour of snprintf() has _changed_. The evil forces of POSIX (as
>opposed to the benign forces of POSIX) changed the semantics without
>changing the function name. They never learn...
POSIX? Perhaps you mean X/Open? X/OPen does guarantee NUL termination.
The return value is, however, not properly specified.
http://www.opengroup.org/onlinepubs/007908799/xsh/fprintf.html
lists undefined behaviour for n < 1 (return a value < 1) and also
appear to indicate it will return atmost "n - 1".
I think a defect report weas issued; X/Open is also likely to
follow C99.
>So, if you use snprintf() in portable code, you must either:
>
>- Check to see if it null-terminates
If it doesn't, it's broken.
>- Check to see what value it returns (number of bytes copied? number of
>bytes it _would_ have copied, if bufflen was infinite? -1 (what's errno)? 0?)
That is something that differs from implementation to implementation; I'm
told even the original one returned bytes copied rather than whatever
sprintf() would have returned.
Also, be aware that snprintf(NULL, 0, fmt, ...) and snprintf(buf, 0, fmt, ...)
are dangerous contructs to use (few implementation return the sprintf()
result in that case)
Since snprintf() shares the printf() formatting engine with the other
functions it can return -1 w/ errno = EILSEQ on UNIX98 compliant systems.
(And probably other errnos too)
However, EILSEQ will only happen for wide char conversions; static
inspection fo the snprintf fmt string willtell you whether or not
you'll encounter them.
Casper
