Subject: Re: ssh buffer overflow / package?
To: Todd C. Miller <>
From: Andrew Brown <>
List: tech-security
Date: 11/02/1998 15:54:17
>If that were an issue wouldn't ssh always use its own snprintf?
>Since ssh 2.x is happy enough using the BSD snprintf I don't see
>how this is an issue for 1.2.26.

i dunno how 2.0.9 (and above) are using it, but they might be doing it
wrong.  as it says, there are subtle differences between the two, not
the least of which is the different return codes.

   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# cat snprintftest.c
   #include <stdio.h>
     char buf[4];
     int l;
     printf("buf [%.4s] %d\n",buf,l);
   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# make snprintftest
   gcc -pipe -g -O2   -o snprintftest snprintftest.c
   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# ./snprintftest 
   buf [123] 8
   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# rm snprintftest
   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# make LDLIBS="snprintf.o xmalloc.o log-server.o" snprintftest
   gcc -pipe -g -O2   -o snprintftest snprintftest.c snprintf.o xmalloc.o log-server.o
   root@noc::ttyp1:/usr/local/src/DONE/ssh-1.2.26# ./snprintftest
   buf [123] 3

so...for the test case i made up, bsd (v)snprintf() will return 8,
while the ssh one will return 3.  that difference is enough to make me
think twice before taking a short cut.

on a personal note, i'm more concerned about the actual length of the
string than the length it might have been had my buffer been bigger.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."