Subject: Re: ssh buffer overflow / package?
To: Todd C. Miller <>
From: Andrew Brown <>
List: tech-security
Date: 11/02/1998 15:01:31
>The only source from 2.x is an snprintf implementation, which NetBSD
>doesn't need since it is in libc.  To use vsnprintf() instead of
>vsprintf() in the logging functions like the IBM advisory suggests
>you can apply the following.

[patch deleted]

or you can just add the macro

   #define vsprintf(buf, fmt, args) vsnprintf(buf, sizeof(buf), fmt, args)

to each of the three files in question.

the only problem with this (ie, why i didn't simply do this but
instead did the whole routine as advised by ibm in the rootshell
advisory) is because of this nice big comment at the top of the
snprintf.h file that you're supposed to steal from the ssh2 package:

/* Write formatted text to buffer 'str', using format string 'format'.
   Returns number of characters written, or negative if error
   occurred. SshBuffer's size is given in 'size'. Format string is
   understood as defined in ANSI C.

   NOTE: This does NOT work identically with BDS's snprintf.

   Integers: Ansi C says that precision specifies the minimun
   number of digits to print. BSD's version however counts the
   prefixes (+, -, ' ', '0x', '0X', octal prefix '0'...) as

   Also, BSD implementation does not permit padding integers
   to specified width with zeros on left (in front of the prefixes),
   it uses spaces instead, even when Ansi C only forbids padding
   with zeros on the right side of numbers.

they're subtlely different and where security is concerned, i'd rather
not fiddle about with maybes.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."