Hello!

No need to go ballistic about my mail.

On Mon, Mar 14, 2005 at 02:10:05PM -0700, Theo de Raadt wrote:
>libc is now compiled to warn about such things.

Yeah, I'm aware of that, I'm no newbie, but a software developer myself.

>Yes, there is a library like that included in OpenBSD, used by a few
>rare applications here and there..

>You may have heard of sprintf being associated with buffer overflows
>over the last, oh, what, 10 or more years?

And yeah, I have heard that. I'm fond of the ways OpenBSD uses to defend
against bugs like that, using multiple lines of defence (propolice, W^X
including a non-exec stack, randomized library load addresses, etc.),
and I'm very okay with this warning too (eliminated 2 sprintf
occurrences in own code too, they were non-critical, but easy to
replace, was things like char buf[4]; sprintf(buf, "%02x", ...),
replaced by the obvious snprintf(buf, sizeof(buf), "%02x", ...)).

So no need to defend against a non-existant criticism.

>In this case, it's not really our problem. Go do a ports tree compile.

>Please alert the GNU people about this problem in their code.

It's OpenBSD's copy of GNU code in this case (libstdc++ in OpenBSD's
source tree). I didn't refer to any ports.

>From now on, including OpenBSD 3.7, we will warn for such bad functions
>being called.

Which is a good thing.

>But it is up to the individual outside-source groups to clean their own
>code up.

>So mail them.

I think this case is a bit difficult. As I wrote in my original mail,
there *is* a snprintf variant in that libstdc++ code. It's just the
"configuration" of libstdc++ which assumes (wrongly, of course) that
OpenBSD had no snprintf and falls back to sprintf. That's probably
because it links usage of snprintf and usage of other C99 stuff (if I
believe the name of the preprocessor define which is tested for).

If I had known an easy and clean way to fix it, I'd have suggested a
diff for
/usr/src/gnu/lib/libstdc++/libstdc++/config/locale/{gnu,generic}/c_locale.h

I'm leaving parts of the original mail intact so you can see the
important parts.

>> After checking, it looks like something in libstdc++ really uses
>> sprintf:

>> $ nm /usr/lib/libstdc++.so.34.0 |grep sprintf
>> U sprintf

See, base, not ports!

>> This is i386, current as of last week (Mar 9).

>> Looks like either
>> src/gnu/lib/libstdc++/libstdc++/config/locale/generic/c_locale.h
>> or
>> src/gnu/lib/libstdc++/libstdc++/config/locale/gnu/c_locale.h
>> is the culprit. There's snprintf based replacement code there, but this
>> is conditionalized with #ifdef _GLIBCPP_USE_C99, which seems to be off
>> for OpenBSD.

>> I've seen no change to that code since the last upgrade (just ran cvsync
>> and cvs -nq up -A to check).

Kind regards,

Hannah.