Subject: Re: ssh buffer overflow / package?
To: Andrew Brown <twofsonet@graffiti.com>
From: Marc Slemko <marcs@znep.com>
List: tech-security
Date: 11/03/1998 09:45:41
On Mon, 2 Nov 1998, Andrew Brown wrote:
> >The only source from 2.x is an snprintf implementation, which NetBSD
> >doesn't need since it is in libc. To use vsnprintf() instead of
> >vsprintf() in the logging functions like the IBM advisory suggests
> >you can apply the following.
>
> [patch deleted]
>
> or you can just add the macro
>
> #define vsprintf(buf, fmt, args) vsnprintf(buf, sizeof(buf), fmt, args)
>
> to each of the three files in question.
>
> the only problem with this (ie, why i didn't simply do this but
> instead did the whole routine as advised by ibm in the rootshell
> advisory) is because of this nice big comment at the top of the
> snprintf.h file that you're supposed to steal from the ssh2 package:
Erm... not exactly. It would be quite foolish to assume that every buffer
passed in is on the stack. Even if that were the case now, you are
condemning anyone who tries to change the code in the future to suffering
from the results of a horrible hack.
I really wouldn't worry about what the ssh2 header file says about its
semantics, since the current code is using native *sprintf calls already.