Re: buffer overrun in zlib 1.1.4

From: Thamer Al-Harbash (tmh@whitefang.com)
Date: 02/24/03

  • Next message: secure@conectiva.com.br: "[CLA-2003:570] Conectiva Linux Security Announcement - openssl" 
    Date: Mon, 24 Feb 2003 13:36:34 -0500 (EST)
From: Thamer Al-Harbash <tmh@whitefang.com>
To: bugtraq@securityfocus.com

    On Sat, 22 Feb 2003, Richard Kettlewell wrote:

    > There is an internal #define (HAS_vsnprintf) that causes it to use
    > vsnprintf() instead of vsprintf(), but this is not enabled by default,
    > not tested for by the configure script, and not documented.

    This is a fairly normal (and somewhat frightening) practice I've
    seen in several popular packages.

    Last I checked ISC dhcp has a #define for vsnprintf to be
    vsprintf if the UNIX flavor did not support snprintf.

    medusa: {29} cd dhcp-3.0pl2
    medusa: {30} grep sprintf `find . -name "*.h"` | tail -10
    ./includes/cf/qnx.h:# define vsnprintf( buf, size, fmt, list ) vsprintf( buf, fbuf, list )
    ./includes/cf/sample.h: sprintf functions which will deposit a limited number of characters
    ./includes/cf/sample.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
    ./includes/cf/sco.h:/* SCO doesn't support limited sprintfs. */
    ./includes/cf/sco.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
    ./includes/cf/sunos4.h:/* SunOS doesn't support limited sprintfs. */
    ./includes/cf/sunos4.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
    ./includes/cf/sunos5-5.h:/* Solaris doesn't support limited sprintfs. */
    ./includes/cf/sunos5-5.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
    ./includes/cf/ultrix.h:#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

    I know that Ted Lemon, the primary author, is aware this. I've
    mentioned it to him a while ago. I am also not aware of this
    causing any security holes; although I honestly have not given
    his source a security audit.

    There are replacement 'snprintf' packages which avoid
    this. Patrick Powell's replacement is used in Mutt (a popular
    MUA) and has a very liberal license. 

    -- 
Thamer Al-Harbash            http://www.whitefang.com/
          team dresch made me do it

    Relevant Pages

    • Re: writing something like printf() in C++
      ... void MsgBox (const char* fmt, ... vsprintf (text, fmt, args); ...
      (comp.lang.cpp)
    • Re: Simple va_list question.
      ... void myfunc(const char* fmt, ...) ... Look at vsprintf and friends. ... The "friend" of vsprintf you want above is vprintf, ...
      (microsoft.public.vc.language)
    • Platform independent allocating sprintf (was Re: buffer overrun
      ... >> vsnprintf() instead of vsprintf, but this is not enabled by default, ... > vsprintf if the UNIX flavor did not support snprintf. ... > MUA) and has a very liberal license. ... you can "special case" some of the most common % formatting ...
      (Bugtraq)
    • Re: buffer overrun in zlib 1.1.4
      ... > vsnprintfinstead of vsprintf(), but this is not enabled by default, ... > platforms without vsnprintf() are supposed to do. ... long strings will be silently truncated and overflows are ... Unexpected truncation ...
      (Bugtraq)
    • Re: vsprintf without vsnprintf
      ... I'm on a platform that has vsprintf but not vsnprintf. ... Is there anyway I can limit vsprintf or know in advance the required buffer ... Valgrind doesn't find overruns on automatic ...
      (comp.lang.c)