Bugtraq mailing list archives

Re: ProFTPD 1.2.0pre4 available

From: pfaffben () MSU EDU (Ben Pfaff)
Date: Fri, 3 Sep 1999 20:28:05 -0400

Werner Koch <wk () ISIL D SHUTTLE DE> writes:

   Malicious User <mark () NIJNTJE NET> writes:

   > knock it around.  I suspect this version will still fail on FreeBSD
   > (anyone care to offer up an account for me on a FreeBSD system to test

   Instead of using snprintf() you can  you sprintf() and change the
   "%s" formats to (e.g.) "$%.30s" - somewhat more work but much more
   portable.

Note that snprintf() is in the C9x draft standard, so it will soon be
much more common that it is today.  As a result, it may not be worth
it to try to be more portable through such devices.

In addition, it is worth noting that snprintf() as specified by the
C9x draft has return value semantics different from those commonly
found.  As a result, calls to snprintf() where the return value is
checked should be scrutinized, since this change could presumably pose
a security risk.

To cite one place where this changes, glibc 2.1 uses the C9x return
value semantics, whereas glibc 2.0 uses the older semantics.

--
"You know, they probably have special dorms for people like us."
--American Pie

Current thread:

ProFTPD 1.2.0pre4 available Malicious User (Aug 30)
- Re: ProFTPD 1.2.0pre4 available Werner Koch (Sep 01)
- <Possible follow-ups>
- Re: ProFTPD 1.2.0pre4 available Ben Pfaff (Sep 03)
  - Re: ProFTPD 1.2.0pre4 available Theo de Raadt (Sep 08)
    - Re: ProFTPD 1.2.0pre4 available Casper Dik (Sep 12)
  - CISCO and nestea. Vit Andrusevich (Sep 09)
    - Re: CISCO and nestea. Basil V. Dolmatov (Sep 11)
    - Re: CISCO and nestea. Jim Duncan (Sep 11)