Vulnerability Development mailing list archives
Re: sendmail ;o)
From: klmitch () MIT EDU (Kev)
Date: Mon, 17 Jul 2000 09:48:01 -0400
In Solaris snprintf doesn't null terminate (when buffer overflows). When sendmail is used here it may lead to some security problems. I'm not using Solaris so I don't need to do anything about it except of sending information to sendmail.org and to some lists like this one.
[xxxxx]-[/tmp/klmitch]-> ./foo 0123456789 012345678901234567890123456789
snprintf returned 10 for "0123456789"
0000000: 30313233 34353637 38390007 fc096b80 | 0123456789....k.
0000010: ef7d9fac | .}..
snprintf returned 30 for "012345678901234567890123456789"
0000000: 30313233 34353637 38393031 32333435 | 0123456789012345
0000010: 36373800 | 678.
[xxxxx]-[/tmp/klmitch]-> uname -a
SunOS xxxxx.mit.edu 5.6 Generic_105181-13 sun4m sparc SUNW,SPARCstation-5
[xxxxx]-[/tmp/klmitch]-> cat foo.c
#include <stdio.h>
#include <print_token.h>
int
main(int argc, char **argv)
{
char buf[20];
int i;
while (--argc) {
i = snprintf(buf, sizeof(buf), "%s", *++argv);
printf("snprintf returned %d for \"%s\"\n", i, *argv);
print_token(buf, sizeof(buf));
}
return 0;
}
(print_token.[ch] are at http://web.mit.edu/klmitch/src/print_token.[ch])
Seems pretty clear that at least Solaris 2.6's snprintf properly
nul-terminates, even on buffer overflow. I will give you a point if
you stated that the man page isn't clear about this, though ;)
--
Kevin L. Mitchell <klmitch () mit edu>
Current thread:
- sendmail ;o) Slawek (Jul 12)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Gregory Neil Shapiro (Jul 16)
- Re: sendmail ;o) Kev (Jul 17)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Kev (Jul 13)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)