"Secure coding" audit checkers and Kerberos
Ken Raeburn
raeburn at MIT.EDU
Wed Oct 15 17:26:06 EDT 2008
On Oct 15, 2008, at 17:05, John Hascall wrote: [quoting Nico]
>> But you don't need to. You can implement asprintf() ontop of even an
>> old snprintf() -- just realloc() if snprintf() > the allocated
>> buffer.
http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi/trunk/src/util/support/printf.c?rev=20871&view=markup
> 1) snprintf is also non-standard
It's in C99, SUSv2, and POSIX 2004. Between those and the popular
implementations we'd need/want to deal with, we've got somewhat loose
specifications on the return value, but otherwise AFAIK they're pretty
consistent.
> 2) there are some horrible snprintf's out there,
> including ones which do little more than call sprintf!
Time for a security advisory for that OS, then.
We could throw in a configure test -- snprintf to a short automatic
buffer with a large amount of stuff to write -- and see if it trashes
the stack and crashes the program. If so, refuse to build. A runtime
test might be better if binaries get distributed, but wastes cycles
for reasonable platforms.
We could, if need be, include an snprintf implementation for platforms
that either omit or seriously botch it. Enough modern systems have it
that I wouldn't be too upset about a quick hack that isn't efficient
on those platforms, like I suggested last night. But initially at
least I'd be inclined not to worry about it until we hear of specific
problems.
Ken
More information about the krbdev
mailing list