[2218] in bugtraq
Re: syslog()/snprintf(): beware of functions with fuzzy specs
daemon@ATHENA.MIT.EDU (John Adams)
Sat Sep 9 02:43:43 1995
Date: Thu, 7 Sep 1995 12:01:41 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: John Adams <jna@concorde.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <9509061439.AA20036@aft-ms.Holland.Sun.COM>
On Wed, 6 Sep 1995, Casper Dik wrote:
> >BSD4.4 snprintf()s return the number of characters they would have
> >written had the buffer been infinite. This is despite the manual page
> >saying they return the number of characters actually written.
> This should be fixed. It requires the *snprintf() code to parse
> and examine all arguments: that isn't necessary.
Yes, it should be fixed, but we have a large problem in developing secure
code across platforms.
For a programmer to take into account all of the nuances of the different
compilers, operating systems, and libc.so* revisions. I'm beginning to
wonder if it would be easier to bundle a secure set of string operations
with code that I release, but even then I have to wonder of the integrity
of my code and the willingness of others to use it.
How do we resolve this issue?
-john
