Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Not a bug: IIL Advisory: Format String bug in Null Webmail (0.6.3)

From: achurch () achurch org (Andrew Church)
Date: Thu, 26 Sep 2002 01:28:16 JST
     As I was severely bitten by this issue lately, this caught my
interest, but the "bug" reported in this so-called advisory is in fact not
a bug at all.  Observe:


int wmprintf(const char *format, ...)    /* <--- INTERESTING FUNCTION */
{
      char buffer[1024];
      va_list ap;

      va_start(ap, format);
      vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 


     This does pass a (potentially) non-constant string as the format
string to vsnprintf(), but (at least from the examples provided) wmprintf()
is always called with a constant format string, so this isn't a problem.


      va_end(ap);                     
      send(wmsocket, buffer, strlen(buffer), 0);


     If this were a *printf() call, then we'd have problems, but all it's
doing is writing the buffer to the socket--no formatting interpretation
involved.

     As an example, let's expand one of the calls, assuming the %s
parameter is "NASTY %sTRING":


wmprintf("USER %s\r\n", wmusername);

--> wmprintf("USER %s\r\n", "NASTY %sTRING");


int wmprintf(const char *format, ...)
{

--> format == "USER %s\r\n"

      char buffer[1024];

--> buffer == undefined

      va_list ap;

--> ap == undefined


      va_start(ap, format);

--> ap == &"NASTY %sTRING"

      vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 

--> buffer == "USER NASTY %sTRING\r\n"

      va_end(ap);                     

--> ap == undefined

      send(wmsocket, buffer, strlen(buffer), 0);

--> send(wmsocket, "USER NASTY %sTRING\r\n", 20, 0);

//     logdata (">> %s", buffer);

--> logdata(">> %s", "USER NASTY %sTRING");

      return 0;
}


     The author is even careful enough to use logdata("%s",buffer) instead
of logdata(buffer), which is the careless mistake I made and had pointed
out to me.

     Nothing to see here, move along.


======[ Example

Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.


  --Andrew Church
    achurch () achurch org
    http://achurch.org/
Previous By Date Next
Previous By Thread Next

Current thread: