Vulnerability Development mailing list archives
Re: sendmail ;o)
From: klmitch () MIT EDU (Kev)
Date: Mon, 17 Jul 2000 09:48:01 -0400
In Solaris snprintf doesn't null terminate (when buffer overflows). When sendmail is used here it may lead to some security problems. I'm not using Solaris so I don't need to do anything about it except of sending information to sendmail.org and to some lists like this one.
[xxxxx]-[/tmp/klmitch]-> ./foo 0123456789 012345678901234567890123456789 snprintf returned 10 for "0123456789" 0000000: 30313233 34353637 38390007 fc096b80 | 0123456789....k. 0000010: ef7d9fac | .}.. snprintf returned 30 for "012345678901234567890123456789" 0000000: 30313233 34353637 38393031 32333435 | 0123456789012345 0000010: 36373800 | 678. [xxxxx]-[/tmp/klmitch]-> uname -a SunOS xxxxx.mit.edu 5.6 Generic_105181-13 sun4m sparc SUNW,SPARCstation-5 [xxxxx]-[/tmp/klmitch]-> cat foo.c #include <stdio.h> #include <print_token.h> int main(int argc, char **argv) { char buf[20]; int i; while (--argc) { i = snprintf(buf, sizeof(buf), "%s", *++argv); printf("snprintf returned %d for \"%s\"\n", i, *argv); print_token(buf, sizeof(buf)); } return 0; } (print_token.[ch] are at http://web.mit.edu/klmitch/src/print_token.[ch]) Seems pretty clear that at least Solaris 2.6's snprintf properly nul-terminates, even on buffer overflow. I will give you a point if you stated that the man page isn't clear about this, though ;) -- Kevin L. Mitchell <klmitch () mit edu>
Current thread:
- sendmail ;o) Slawek (Jul 12)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Gregory Neil Shapiro (Jul 16)
- Re: sendmail ;o) Kev (Jul 17)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Kev (Jul 13)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)