On Thu, 24 Jun 2004 08:27:11 PDT, VX Dude <vxdude2003@xxxxxxxxx> said: > http://www.kb.cert.org/vuls/id/654390 > > Apparently one of the new DHCP vulnerabilities stems > from the following code found in a header file. > > #define vsnprintf(buf, size, fmt, list) vsprintf (buf, > fmt, list) > > Why would any coder replace a more secure function > with a less secure function? Personally I don't see > any reason except to backdoor the software. Hmm.. are you perchance new to software development? ;) Quoting one of the advisories: VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. It's easier to just #define the critter than to re-re-invent the C code for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play nice with the vendor's stdio - this can be .. umm... "interesting" if the innards of the vendor stdio are more bizzare than usual... Go ahead - go and re-write a vsnprintf, and compare that to the time it takes to do the #define, and remember that this situation almost certainly came up because some *other* coder had changed a vsprintf() to a vsnprintf() for the obvious security reasons, it built OK on the other coder's test box, they released a -rc release candidate, and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW.... The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar.
Attachment:
pgp00069.pgp
Description: PGP signature