Subject: Re: ssh buffer overflow / package?
To: Todd C. Miller <>
From: Andrew Brown <>
List: tech-security
Date: 11/02/1998 16:07:44
>> on a personal note, i'm more concerned about the actual length of the
>> string than the length it might have been had my buffer been bigger.
>Then you cannot detect truncation.  The reason for returning the
>size of the string if there was infinite space is to allow well-written
>code to detect when there was not enough space and do something
>about it.  Of course, since the return value can also be -1, you
>should never use the return value of snprintf without checking first

um...okay.  that's true.  you win that one.  :)

but i still think it's better to use the snprintf() it expects, than
something that behaves differently.  even if the difference makes the
implementation in question more correct.'s not that hard
to add in the two source files.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."