Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: syslog()/snprintf(): beware of functions with fuzzy specs
From: jna () concorde com (John Adams)
Date: Thu, 7 Sep 1995 12:01:41 -0500


On Wed, 6 Sep 1995, Casper Dik wrote:

BSD4.4 snprintf()s return the number of characters they would have
written had the buffer been infinite.  This is despite the manual page
saying they return the number of characters actually written.

This should be fixed.  It requires the *snprintf() code to parse
and examine all arguments: that isn't necessary.

Yes, it should be fixed, but we have a large problem in developing secure
code across platforms.

For a programmer to take into account all of the nuances of the different
compilers, operating systems, and libc.so* revisions. I'm beginning to
wonder if it would be easier to bundle a secure set of string operations
with code that I release, but even then I have to wonder of the integrity
of my code and the willingness of others to use it.

How do we resolve this issue?

-john



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]