You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1997/07/11 01:54:25 UTC
Re: [linux-security] so-called snprintf() in db-1.85.4 (fwd)
I just want to say thank you to marc for giving us a real snprintf. look
what kind of press we could have garnered with a bogus one. :)
Brian
>Approved-By: aleph1@UNDERGROUND.ORG
>X-Mailer: ELM [version 2.4 PL25]
>Date: Thu, 10 Jul 1997 04:46:09 -0500
>Reply-To: Joe Zbiciak <jz...@DALDD.SC.TI.COM>
>Sender: Bugtraq List <BU...@NETSPACE.ORG>
>From: Joe Zbiciak <jz...@DALDD.SC.TI.COM>
>Subject: Re: [linux-security] so-called snprintf() in db-1.85.4 (fwd)
>X-To: aleph1@DFW.NET
>To: BUGTRAQ@NETSPACE.ORG
>
>'Aleph One' said previously:
>|
>| Hi,
>|
>| There is a severe problem with the db-1.85.4 library's Linux
>| port that can be found on sunsite.unc.edu under
>| /pub/Linux/libs/db-1.85.4-src.tar.gz (sp?): This library
>| contains a "snprintf" function which breaks down to a common
>| sprintf, ignoring the size parameter. [...]
>
>The old Linux libbsd (whose source is included in a subdirectory
>of the libc source) had such an snprintf as well. I would imagine
>anybody linking against an old libbsd would have this same
>problem.
>
>To quote the source file:
>
>/* snprintf.c - emulate BSD snprintf with sprintf - rick sladkey */
>
>#include <stdio.h>
>#include <stdarg.h>
>
>int snprintf(char *s, int len, char *format, ...)
>{
> You are trying to do something very wrong.
> Don't use this source if you want to stay alive!
>
> va_list args;
> int result;
>
> va_start(args, format);
> result = vsprintf(s, format, args);
> va_end(args);
> return result;
>}
>
>
>Somebody obviously had enough of a sense of humor to place the
>(non-comment-enclosed) statement in this version. Apparently, once
>upon a time that was an active part of the library. (*shudder*)
>
>
>Regards,
>
>--Joe
>
>--
> +--------------Joseph Zbiciak--------------+
> |- - - - jzbiciak@daldd.sc.ti.com - - - - -|
> | - - http://www.primenet.com/~im14u2c - - | Not your average "Joe."
> |- - - - Texas Instruments, Dallas - - - -|
> +-------#include <std_disclaimer.h>--------+
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL brian@organic.com - hyperreal.org - apache.org