Re: WuFTPD: Providing *remote* root since at least1994

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> Theo de Raadt <deraadt () CVS OPENBSD ORG> writes:
>
> [...regarding snprintf()...]
>
> > > b) Returns -1 and truncate with a \0
> >
> > Can you please list the vendors who have the incorrect behaviours you
> > described in (a) and (b) so that we can properly bitch at them?
>
> glibc before 2.1.x, for one.

Yes, it is known that older glibc had a security issue because their
snprintf was broken, but there is newer software now which does not
have this specific security issue.

There are probably 30+ snprintf calls in OpenBSD which require that
snprintf return the length of buffer it wanted.  We have absolutely no
plans to change those into less-optimal chunks of code.  It's even
possible that openssh has code to do so.

For those 30+ cases, as soon as you assume that snprintf is broken,
the code size for handling that increases massively.  That increases
complexity is not needed.

This is much like how we don't write code for dealing with the busted
connect() system call in Linux (socket reuse in non-blocking mode).
But on the other hand, Linux has also eroded the meaning of the struct
timeval * in select(), so in that case we have dealt with that issue.