Re: [Code] Strange error.

From: Daniel A. Koepke (dkoepke@circlemud.org)
Date: 01/10/03


On Sat, 11 Jan 2003, Thomas Arp wrote:

> Actually the snprintf statement itself will never overflow, period.

Sure it will.  If the data to be written to the buffer is greater than the
size specified, snprintf() returns the number of characters that would
have been written to the buffer had there been space.  Thus, len can
become greater than sizeof(buf), meaning that sizeof(buf) - len can become
negative.  Since the size parameter is size_t, which is unsigned, that
negative value will become a large positive and snprintf() will happily
overflow your buffer.

Consequently, this use of snprintf() has very limited gains in safety over
sprintf(): it's only guaranteed to protect against the first overflow.
Subsequent calls to snprintf() will be able to overflow.

All this emphasizes is that snprintf() is not magic.  You still have to
give it good information for it to do its job.  In this case, you're not
giving it good information and so there's nothing preventing snprintf()
from overflowing your buffer.

-dak

--
   +---------------------------------------------------------------+
   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
   | Newbie List:  http://groups.yahoo.com/group/circle-newbies/   |
   +---------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 06/26/03 PDT