[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] Re: Hi dee Ho list!
|
From: |
Maz The Northener |
|
Subject: |
[bug-inetutils] Re: Hi dee Ho list! |
|
Date: |
Wed, 30 Dec 2009 02:32:40 +0200 |
please ignore this. It seems the buf or buflen is not used after this,
and advancing buf is not visible outside the scope of this function.
On 12/30/09, Maz The Northener <address@hidden> wrote:
> Hi dee Ho list!
>
> Tonight was one of these nights. I was staring the computer screen,
> knowing that I have dozens of things I should do - but felt like doing
> none of those. I bet most of us have had such moments.
>
> So I decided to download sources for a random gnu package, and just
> browse some code trying to find a bug. Do not judge me as being nasty,
> destructive bastard, I just try to possibly eliminate one problem from
> the future.
>
> Well, I opened libtelnet/shishi.c file - it sounded like fun. (I've no
> idea what is shishi, it sounds like something I could drink :D ) and
> at line 591 I saw it. (sources taken from git just a few moments ago).
>
> function krb5shishi_printsub(). (I have no idea where this is called
> from, and thus I have no idea if we really have a bug here, or just
> something my eye catched as a peculiar thing).
>
> Here is:
>
> p = req_type_str (data[3]);
> if (!p)
> {
> int l = snprintf (buf, buflen, " %d (unknown)", data[3]);
> buf += l;
> buflen -= l;
> }
>
> and buf is a char pointer (buffer) coming from arguments, buflen is an
> int, also coming from arguments.
>
> What we do not do here, is checking the returnvalue from snprintf (Eg.
> if supplied buffer was large enough). Then we advance buf pointer with
> amount of returned value etc.
>
> If supplied buffer was not long enough, snprintf propably returns the
> lenght that would have been needed to fit the text in buffer. So after
> increment the buf will point beyond the supplied buffer's boundaries.
> But as I stated, I do not know the context this thing is sitting in,
> so I cannot say if this is a problem or not. But I assume it is
> possible the data written by snprintf can exceed size of the buffer -
> otherwise I would probably see just sprintf here?
>
> Anyways, Now I managed to spend my freetime without actually doing
> things I should've been doing, so I guess I may just as well stop
> bothering you. :]
>
> Thank you for all the great work you do, and keep things going mates :]
> I will keep watcing this list from now on :)
>
> -Matti.
>
>
>
>
> BrakesAreForCowards!!!
> When you feel blue, no one sees your tears... When your down, no one
> understands your struggle...
> When you feel happy, no one notices your smile...
> But fart just once...
> I would love to create a freeware game with C - unless I was working at
> NSN.
>
--
-Matti "Maz" Vaittinen
CWF coding team leader
http://www.curlysworldoffreeware.com/
BrakesAreForCowards!!!
When you feel blue, no one sees your tears... When your down, no one
understands your struggle...
When you feel happy, no one notices your smile...
But fart just once...
I would love to create a freeware game with C - unless I was working at NSN.