Subject: Re: ssh buffer overflow / package?
To: Andrew Brown <email@example.com>
From: Todd Vierling <firstname.lastname@example.org>
Date: 11/02/1998 17:56:22
On Mon, 2 Nov 1998, Andrew Brown wrote:
: the only problem with this (ie, why i didn't simply do this but
: instead did the whole routine as advised by ibm in the rootshell
: advisory) is because of this nice big comment at the top of the
: snprintf.h file that you're supposed to steal from the ssh2 package:
: NOTE: This does NOT work identically with BDS's snprintf.
: they're subtlely different and where security is concerned, i'd rather
: not fiddle about with maybes.
However, the comment indicates that the snprintf from ssh2 has the
ambiguity--you'd be changing behavior by using it. Remember, you're
replacing calls to _BSD's_ vsprintf with _BSD's_ vsnprintf, which changes no
-- Todd Vierling (Personal email@example.com; Bus. firstname.lastname@example.org)