The snprintftest.c regression test in openbsd-compat/regress has a buffer overflow error, and an argument error in the calls to snprintf(), and vsnprintf(). On line 49 of snprintftest.c, the character buffer, b, is allocated at 5 bytes. However, in the calls to snprintf and vsnprintf, on lines 68 and 77 respectively, it is expected to place 11 bytes of data into the buffer. Which will result in buffer overflow. The second error is in the arguments to snprintf and vsnprintf in the size argument to those functions. The size value is 1, indicating the buffer is only 1 btye in length, this is according to the Open Group specification of snprintf, and vsnprintf. Hence the test for the return value being 11 should always fail. Which it did on my system, Linux 2.6.18-164.15.1.el5 GNU/Linux X86_64. Jeff Fellin AT&T Labs
Sorry for my mistake I read the wrong lines in the Open Group spec for the behavior of snprintf and vsnprintf. I had read the lines for sprint and vsprintf. Please accept my apologies for this mistake. Sincerely, Jeff Fellin AT&T Labs
Hi Jeff, FELLIN, JEFF (ATTSI) wrote:> The snprintftest.c regression test in openbsd-compat/regress has a > buffer overflow error, and an argument error in the calls to snprintf(), > and vsnprintf().Thanks for the bug report. Did you already fix these issues? Could you send a patch against the current source code? //Peter
On Mon, 26 Apr 2010, Peter Stuge wrote:> Hi Jeff, > > FELLIN, JEFF (ATTSI) wrote: > > The snprintftest.c regression test in openbsd-compat/regress has a > > buffer overflow error, and an argument error in the calls to snprintf(), > > and vsnprintf(). > > Thanks for the bug report. Did you already fix these issues? Could > you send a patch against the current source code?No, as Jeff has no doubt already realised, snprintf should return the size of the string that it would have created had the supplied buffer been large enough. This allows the caller to reliably check for truncation by comparing the return value to the supplied length (one still needs to check for a -1 return, which can happen in some obscure cases). -d