lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070111142120.GB7857@codeblau.de>
Date: Thu, 11 Jan 2007 15:21:20 +0100
From: Felix von Leitner <felix-fulldisclosure@...e.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: new class of printf issue: int overflow

Thus spake Thomas (tom@...ctric-sheep.org):
> > I just read some gnupg source code and stumbled upon their
> > vasprintf implementation.
> Did you told them about it?

I'm, uh, still working on that. :-)

> > But that got me thinking.  *printf return an int, and it's supposed to
> > be the number of chars written.  So a typical idiom is
> > 
> >   size_t memory_needed=snprintf(NULL,0,format_string,...);
> >   char* ptr=malloc(memory_needed+1);
> >   sprintf(ptr,format_string,...);
> This is nothing new.
> It is documented in the man-page and in the libc sources.

What is documented in what man page?  Neither the Linux man page nor the
SUSv3 say anything about integer overflows and what sprintf should
return in that case.

And, uh, glibc does not handle the issue, so the libc code does not
document anything either.

Felix

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ