Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Feb 2003 10:41:16 -0600
From: Mark Hatle <fray@...sta.com>
To: xvendor@...ts.openwall.com
Subject: Re: zlib gzprintf() patch

Is this due to an audit?  Or did you find a problem/crash w/ errant data?

--Mark

Solar Designer wrote:
> Hi,
> 
> Just thought I'd share the tiny patch that went into Owl.  Attached.
> 
> The lack of configure checking for vsnprintf() is intentional (I want
> this to not compile without a vsnprintf() anyway).
> 
> The Owl change log entry is:
> 
> 2003/02/25	Package: zlib
> Corrected a potential buffer overflow in gzprintf(), thanks to Bugtraq
> postings by Crazy Einstein, Richard Kettlewell, and Carlo Marcelo
> Arenas Belon.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> diff -ur zlib-1.1.4.orig/gzio.c zlib-1.1.4/gzio.c
> --- zlib-1.1.4.orig/gzio.c	Mon Mar 11 16:16:01 2002
> +++ zlib-1.1.4/gzio.c	Tue Feb 25 07:08:36 2003
> @@ -529,14 +529,9 @@
>      int len;
>  
>      va_start(va, format);
> -#ifdef HAS_vsnprintf
> -    (void)vsnprintf(buf, sizeof(buf), format, va);
> -#else
> -    (void)vsprintf(buf, format, va);
> -#endif
> +    len = vsnprintf(buf, sizeof(buf), format, va);
>      va_end(va);
> -    len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
> -    if (len <= 0) return 0;
> +    if (len <= 0 || len >= sizeof(buf)) return 0;
>  
>      return gzwrite(file, buf, (unsigned)len);
>  }
> @@ -552,15 +547,9 @@
>      char buf[Z_PRINTF_BUFSIZE];
>      int len;
>  
> -#ifdef HAS_snprintf
> -    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
> +    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
>  	     a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
> -#else
> -    sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
> -	    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
> -#endif
> -    len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
> -    if (len <= 0) return 0;
> +    if (len <= 0 || len >= sizeof(buf)) return 0;
>  
>      return gzwrite(file, buf, len);
>  }


Powered by blists - more mailing lists

Your e-mail address:

Please check out the xvendor mailing list charter.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ