On Mon, 21 Nov 2016 20:37:14 +0200 Timo Teras <timo.te...@iki.fi> wrote: > > It is still good practice to fill it with snprintf. If this is done, > proper error checking should be done to check the final 'len' that it > does not exceed IOBUF_SIZE or you have information leak bug (since > snprintf returns the length it would generate if buffer was unbounded; > not the length it actually wrote to the buffer). > Exactly. It typically goes like this: Someone is using functions generally considered "unsafe" because they know for sure it is not exploitable the way it's being used in this specific instance. Then eventually someone else comes along, adds feature X using unsafe functions as well (you try to do it the same way the rest is written, right?), and boom, you suddenly got your exploit because X happens to enable the remote user to inject arbitrarily long data (think some %s the user can control). It should be fixed properly, handling the case where the return value is either > BUFSIZ or even < 0. As a compromise, something like xsnprintf would do (if we don't have it already; not currently able to easily grep busybox). Potential termination is still better than potential exploitability. (...or just ignore old IE and write to the fd repeatedly...)
- Simon _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox