"Secure coding" audit checkers and Kerberos

Russ Allbery rra at stanford.edu
Tue Oct 14 22:39:31 EDT 2008

Luke Howard <lukeh at padl.com> writes:

>> Likewise, there's a public domain version of snprintf that I've been
>> using for some time for systems that either don't have snprintf (rare
>> these days) or that have a buggy / pre-C99 version (all versions of
>> Solaris prior to 9).
> So, did Sun change the return value in Solaris 9?

Yes, or perhaps Solaris 10.  I know they changed it, but don't remember
the point when that happened.

> snprintf() first appeared on Solaris 2.6 but its behaviour differs to
> most other platforms, in that it returns the number of bytes that would
> have been written regardless of buffer size.

I think you accidentally got that backwards.  That's the behavior
everywhere else, and is required by C99, but Solaris returned -1 instead.

The other thing to watch out for with snprintf is that some
implementations (older Solaris again, IIRC) don't allow the size to be 0
and str to be NULL to get a count of how much space would be required.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list