Re: small c problem

To: debian-mentors@lists.debian.org
Subject: Re: small c problem
From: Russell Coker <russell@coker.com.au>
Date: Fri, 16 Jul 1999 13:26:34 +1000
Message-id: <[🔎] 9907161327120B.00697@lyta>
Reply-to: russell@coker.com.au
References: <[🔎] st2emijy0hn.fsf@mirjam.informatik.uni-tuebingen.de>

On Thu, 08 Jul 1999, Falk Hueffner wrote:
>Jeff Licquia <jeff@luci.org> writes:
>> Please accomodate this paranoid, if you would...
>> 
>> snprintf() is better than sprintf(), both for reliability and for
>> security reasons.  snprintf() takes a length parameter, and will not
>> fill the buffer past its end.  Using sprintf() (and strcat() for that
>> matter, and all manner of other string functions) in setuid and
>> root-owned processes is the #1 cause of security problems under both
>> Unix and NT.
>> 
>> Yes, this use of sprintf() is likely OK, since you control the one
>> variable used.  And perhaps this won't be root-owned or setuid in
>> normal circumstances.  Still, it's a good habit to get into.
>
>Unfortunately, snprintf is a GNU extension and not generally available
>on other Unixen. So I wouldn't use it without shipping the function
>with the source (some projects do this).

MS Visual C++ has it...

--
She says "This, is the real thing,
coz you're never gonna find the door"
I'm on my way.

Reply to:

References:
- Re: small c problem
  - From: Falk Hueffner <falk.hueffner@student.uni-tuebingen.de>

Prev by Date: Re: from potato to slink
Next by Date: dh_suidregister
Previous by thread: Re: small c problem
Next by thread: forgot stg...
Index(es):
- Date
- Thread