[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overflowable buffers on some machines (ITS#934)



On Wed, 20 Dec 2000, Kurt D. Zeilenga wrote:

> Another possible solution is for the installer to provide a library,
> such as glibc, which contains the safer routines. As such libraries
> are readily available, we might require such eventually.

yeah, that's something i thought of, too. i did the eval some months back
but have been to busy to note. you can get freely available (v)snprintf()
code and include it if vsnprintf is not available. ssh, for one, did this.
i forgot entirely about it.

http://www.contactor.se/~dast/trio/
http://www.oranda.demon.co.uk/dist/snprintfv-0.98h.tar.gz

that's two. a bunch more are at http://www.ijs.si/software/snprintf/ .

i dislike glibc with a passion. its horrific code, poorly done in too many
places. i think that solar's analysis where he found some gaping holes is
just the tip of the iceberg. asking me to use glibc is not a good idea.
you would be introducing far more bugs and problems than you would be
fixing.

thanks for the reply.

____________________________
jose nazario						     jose@cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)