[Python-Dev] Re: mysnprintf broken

M.-A. Lemburg mal@lemburg.com
Mon, 26 Nov 2001 10:27:41 +0100 

"Martin v. Loewis" wrote:
> 
> > Is there some reason why we can't incorporate a free snprintf
> > implementation?  There is a list available at
> > http://www.ijs.si/software/snprintf/.
> 
> Looks like the time machine is at work again: the version we use *is*
> a free snprintf implementation.

Well, let's say it's a free snprintf emulation ;-)
 
> If you want to replace it with a different one, you should indicate
> specifically which one you'd like to use instead. I think Mark
> Martinec's implementation (the top one on the URL you give) is
> unacceptable, because the license is too restrictive: we must
> incoporate the package in its entirety, i.e. redistribution of
> portions seems not to be licensed by the Frontier Artistic License.
> 
> I don't have the time to review 10 other implementations for their
> suitability both in terms of licensing and correctness.
> 
> Instead, I'd rather review the three occurrences of PyOS_snprintf, to
> determine quickly that you will have a hard time to overflow that
> buffer; *it is not at all easy*. Even if it does overflow, you will
> get a fatal error, rather than silent memory corruption. That is good
> enough for me.

Note that the version in Python does not result in *stack* overflows
which are the type of buffer overflow usually used in exploits.
PyOS_snprintf() allocates a buffer on the heap and then let's
sprintf() write there -- it then checks for an overflow and
causes a fatal error if it finds that sprintf() failed to
manage with the size + 512 bytes it had for formatting the
string.

The only attack on this kind of emulation is a denial of service
attack. 

In the 3 cases where this API is used in Python, an overflow
is not possible (unless the native sprintf() implementation
is broken).

-- 
Marc-Andre Lemburg
CEO eGenix.com Software GmbH
______________________________________________________________________
Consulting & Company:                           http://www.egenix.com/
Python Software:                        http://www.lemburg.com/python/