[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
overflowable buffers on some machines (ITS#934)
Full_Name: jose nazario
Version: 2.0.7
OS: OpenBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (129.22.152.109)
hi,
i was developing some source checking code the other day and found a marked
unchecked buffer in openldap-2.0.6, which is also present in openldap-2.0.7.
it probably exists in other versions.
openldap-2.0.7/libraries/liblber/bprint.c
85-
86-#ifdef HAVE_VSNPRINTF
87- buf[sizeof(buf) - 1] = '\0';
88- vsnprintf( buf, sizeof(buf)-1, fmt, ap );
89-#elif HAVE_VSPRINTF
90: vsprintf( buf, fmt, ap ); /* hope it's not too long */
91-#else
92- /* use doprnt() */
93:#error "vsprintf() required."
openldap-2.0.7/libraries/libldap/print.c
45-
46-#ifdef HAVE_VSNPRINTF
47- buf[sizeof(buf) - 1] = '\0';
48- vsnprintf( buf, sizeof(buf)-1, fmt, ap );
49-#elif HAVE_VSPRINTF
50: vsprintf( buf, fmt, ap ); /* hope it's not too long */
51-#else
52- /* use doprnt() */
53- chokeme = "choke me! I don't have a doprnt manual handy!";
54-#endif
55-
liblutil/debug.c
65- va_start( vl, fmt );
66-
67-#ifdef HAVE_VSNPRINTF
68- vsnprintf( buffer, sizeof(buffer), fmt, vl );
69-#else
70: vsprintf( buffer, fmt, vl );
71-#endif
72- buffer[sizeof(buffer)-1] = '\0';
73-
liblutil/setproctitle.c
44-
45-#ifdef HAVE_VSNPRINTF
46- buf[sizeof(buf) - 1] = '\0';
47- vsnprintf( buf, sizeof(buf)-1, fmt, ap );
48-#elif HAVE_VPRINTF
49: vsprintf( buf, fmt, ap ); /* hope it's not too long */
50-#else
51- /* use doprnt() */
52- chokeme = "choke me! I don't have a doprnt() manual handy";
possible solution: memcpy() a and NULL the end before using vsprintf.
affects: HP-UX 10.20, IRIX 6.2, maybe others (i know IRIX 6.5 has vsnprintf()).
neither of which are shipping but both remian popular.