Home page logo

bugtraq logo Bugtraq mailing list archives

syslog()/snprintf(): beware of functions with fuzzy specs
From: dmorriso () us oracle com (Dave Morrison)
Date: Fri, 1 Sep 1995 17:23:53 -0700

There are some nasty semantic questions associated with the proper
return value for snprintf.

BSD4.4 snprintf()s return the number of characters they would have
written had the buffer been infinite.  This is despite the manual page
saying they return the number of characters actually written.

Number of characters written does not include the NULL.

GNU snprintf()s return the number of characters actually written (minus
the NULL).  On a overflowed buffer, the GNU documentation conflicts with
itself.  At one point it says, (bufsiz - 1) is returned, and in another
example it says (bufsiz) is returned (but (bufsiz - 1) plus a NULL
character are written).  I'm not sure what it does for real.

I've seen a few other cobbled version of *nprintf.  I'm best off with a
dart board if I needed to apriori determine what they do on the boundary

Some important boundary cases:

vsnprintf (buf, bufsiz, fmt, ap)

  bufsiz = 0
  bufsiz = 1
  bufsiz = amount of chars sprint will use, less one for the null
  bufsiz = amount of chars sprint will use, no room for null
  bufsiz = less than amount of chars sprint will use

Which return values of -1, 0, bufsiz - 1, bufsiz, or >bufsiz (heaven
forbid a core dump)?  Do they write on buf[bufsiz]?  What do they write
to buf?  What is the state of NULL terminatation on each of the
sitations above?  Many different answers have I seen.

For those of you working on syslog patches using *nprintf, you will do
the world a favor if you make it explicitly clear the semantics you

Dave Morrison
dmorriso () us oracle com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]