Bugtraq mailing list archives
Re: buffer overrun in zlib 1.1.4
From: Thamer Al-Harbash <tmh () whitefang com>
Date: Mon, 24 Feb 2003 13:36:34 -0500 (EST)
On Sat, 22 Feb 2003, Richard Kettlewell wrote:
There is an internal #define (HAS_vsnprintf) that causes it to use vsnprintf() instead of vsprintf(), but this is not enabled by default, not tested for by the configure script, and not documented.
This is a fairly normal (and somewhat frightening) practice I've seen in several popular packages. Last I checked ISC dhcp has a #define for vsnprintf to be vsprintf if the UNIX flavor did not support snprintf. medusa: {29} cd dhcp-3.0pl2 medusa: {30} grep sprintf `find . -name "*.h"` | tail -10 ./includes/cf/qnx.h:# define vsnprintf( buf, size, fmt, list ) vsprintf( buf, fbuf, list ) ./includes/cf/sample.h: sprintf functions which will deposit a limited number of characters ./includes/cf/sample.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) ./includes/cf/sco.h:/* SCO doesn't support limited sprintfs. */ ./includes/cf/sco.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) ./includes/cf/sunos4.h:/* SunOS doesn't support limited sprintfs. */ ./includes/cf/sunos4.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) ./includes/cf/sunos5-5.h:/* Solaris doesn't support limited sprintfs. */ ./includes/cf/sunos5-5.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) ./includes/cf/ultrix.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) I know that Ted Lemon, the primary author, is aware this. I've mentioned it to him a while ago. I am also not aware of this causing any security holes; although I honestly have not given his source a security audit. There are replacement 'snprintf' packages which avoid this. Patrick Powell's replacement is used in Mutt (a popular MUA) and has a very liberal license. -- Thamer Al-Harbash http://www.whitefang.com/ team dresch made me do it
Current thread:
- buffer overrun in zlib 1.1.4 Richard Kettlewell (Feb 23)
- Re: buffer overrun in zlib 1.1.4 Carlo Marcelo Arenas Belon (Feb 24)
- Re: buffer overrun in zlib 1.1.4 Thamer Al-Harbash (Feb 24)