From owner-freebsd-security  Wed Nov  4 10:54:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA11125
          for freebsd-security-outgoing; Wed, 4 Nov 1998 10:54:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11106
          for <FreeBSD-security@FreeBSD.ORG>; Wed, 4 Nov 1998 10:54:29 -0800 (PST)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id LAA09640;
	Wed, 4 Nov 1998 11:54:09 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id KAA14459; Wed, 4 Nov 1998 10:48:53 -0800 (PST)
Date: Wed, 4 Nov 1998 10:48:53 -0800 (PST)
From: Marc Slemko <marcs@znep.com>
To: Andrew McNaughton <andrew@squiz.co.nz>
cc: FreeBSD-security@FreeBSD.ORG
Subject: Re: [rootshell] Security Bulletin #25 (fwd) 
In-Reply-To: <Pine.BSF.4.01.9811041946050.780-100000@aniwa.sky>
Message-ID: <Pine.BSF.4.03.9811041039590.11835-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 4 Nov 1998, Andrew McNaughton wrote:

> On Wed, 4 Nov 1998, Nicholas Charles Brawn wrote:
> 
> > Well I just grabbed 1.2.26 and did: 
> > find . -exec grep sprintf {} \; |wc -l 
> > 
> > And came up with 138 lines. Just having sprintf() in your code is not
> > indicative of a vulnerability, but it's still a high number.
> 
> ssh is commonly used for piping substantial ammounts of data, and can
> probably claim good reasons for using the faster non-bounds-checking
> routines in many of these cases.  Doesn't apply to low volume things like
> the logging routines though. 

NO!

Get all ideas of bounds checking only being suitable for "low volume"
things out of your mind.  First, if ssh is using sprintf for any bulk data
copies then it is horribly broken anyway.  Second, by the very nature of
bulk data copies you have to have fixed bounds on the size of the data you
are copying.

Functions that do bounds checking, like snprintf() are not have any
significant performance drawbacks in 99.9% of the cases.  There are far
more differences between sprintf implementations than between sprintf and
snprintf.  

In fact, on FreeBSD sprintf() and snprintf() both call the same function,
the only difference is that sprintf sets _size to INT_MAX while snprintf
sets it to what you tell it.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message