openbsd-compat regression tests
FELLIN, JEFF (ATTSI)
jf114b at att.com
Tue Apr 27 00:41:29 EST 2010
The snprintftest.c regression test in openbsd-compat/regress has a
buffer overflow error, and an argument error in the calls to snprintf(),
and vsnprintf().
On line 49 of snprintftest.c, the character buffer, b, is allocated at
5 bytes. However, in the calls to snprintf and vsnprintf, on lines 68
and 77 respectively, it is expected to place 11 bytes of data into the
buffer. Which will result in buffer overflow.
The second error is in the arguments to snprintf and vsnprintf in the
size argument to those functions. The size value is 1, indicating the
buffer is only 1 btye in length, this is according to the Open Group
specification of snprintf, and vsnprintf. Hence the test for the return
value being 11 should always fail. Which it did on my system, Linux
2.6.18-164.15.1.el5 GNU/Linux X86_64.
Jeff Fellin
AT&T Labs
More information about the openssh-unix-dev
mailing list