Bugtraq mailing list archives
Re: patch for qpopper remote exploit bug
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Tue, 30 Jun 1998 15:35:32 -0400
Today, snprintf and vsnprintf are required. Without them, there's some code in the libraries which cannot be written safely.
ie:
gen/syslog.c: prlen = vsnprintf(p, tbuf_left, fmt_cpy, ap);
Actually, stuff like this can be done just fine with what NetBSD (and OpenBSD, presumably) calls funopen() - you don't actually {,v}snprintf. Indeed, funopen() is a bit of a sledgehammer; all the rest of stdio could be removed without losing any power (just convenience). I actually prefer funopen() in most respects. In particular, it allows things like printing into mallocked storage without having to impose a length limit (which naive use of snprintf and strdup does). stdio has desperately needed something like funopen() for a long time. It was so egregiously missing that I hacked it into the 4.3 stdio back when I was working with 4.3...I called it fopenfxn() and the interface was a bit different, but it was basically the same idea. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: patch for qpopper remote exploit bug der Mouse (Jun 30)