On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> And, a possible solution from Anders Kaseorg...
> This example sprintf() call could be fixed as follows:
> -sprintf(buf, "%s plus %d", buf, k);
> +sprintf(buf + strlen(buf), " plus %d", k);
> Similarly, an invalid snprintf() call could be fixed as follows:
> -snprintf(buf, buflen, "%s plus %d", buf, k);
> +snprintf(buf + strlen(buf), buflen - strlen(buf), " plus %d", k);
> Attached is a list of affected packages, generated via:
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
I would note that this regexp, and the proposed solution, will not match
i18nized format strings; i.e.,
sprintf(buf, _("%s plus %d"), buf, k);
I don't know whether these are also a problem in practice - but if so, using
sprintf(buf + strlen(buf) [...]) is definitely wrong.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
