HPE Community
Operating System - Linux
1830247 Members
7277 Online
110000 Solutions
New Discussion

vsnprintf call on HPUX

 
SOLVED
Go to solution
Bharat Katkar
Honored Contributor

‎03-01-2006 01:19 AM

‎03-01-2006 01:19 AM

vsnprintf call on HPUX

HI Friends,
Can anybody tell me what "vsnprintf" call does and whether there is any known BUG for "vsnprintf". I was told that "vsnprintf" has some issue and hence wanted to verify the same.

Please let me know all possible info you have regarding this.

Also does any body know whether HP maintain BUGLIST for known problems and if so can you direct me to the same.

Thanks in advcane.
Regards,
Bharat

You need to know a lot to actually know how little you know
0 Kudos
Reply
19 REPLIES 19
Peter Godron
Honored Contributor

‎03-01-2006 01:34 AM

‎03-01-2006 01:34 AM

Re: vsnprintf call on HPUX

Bharat,
"vsnprintf and snprintf are new interfaces that provide sprintf-like functionality without overflowing target buffers. The use of these interfaces is recommended in situations where buffer overflows may lead to a security breach."

Do a man vsnprintf for other info.

There have been some patches for HP11(PHCO_20889, PHCO_30407).
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎03-01-2006 01:42 AM

‎03-01-2006 01:42 AM

Re: vsnprintf call on HPUX

Hi Bharat,

You can find more information at these links,

http://devrsrc1.external.hp.com/STK/cgi-bin/man2html?debug=0&manpage=/usr/share/man/man3.Z/vsnprintf.3s
http://h21007.www2.hp.com/dspp/srch/srch_SearchResut_IDX/1,1694,,00.html?qtext=vsnprintf+&criteria=0&col=&lk=1&rf=0&fld=3&nh=10&fdt=in&fin=an&amo=&ady=&ayr=&bmo=&bdy=&byr=&st=1&qt=%2Bvsnprintf&topic=&qtextbox=

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎03-01-2006 01:57 AM

‎03-01-2006 01:57 AM

Re: vsnprintf call on HPUX

Arun,

I am the first link talks about vprintf and teh second i am not able to open.

Please let me know if you are aware of any bug to this particular "vsnprinf" call.

Regards,
You need to know a lot to actually know how little you know
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎03-01-2006 02:24 AM

‎03-01-2006 02:24 AM

Re: vsnprintf call on HPUX

Hi Bharat,

Second link is HP's DSPP page, in which you should register to access it.

Back to the question, Any vulnerabilities in vsnprintf,

http://www.kb.cert.org/vuls/id/654390
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=4218
http://www.uscert.gov/cas/techalerts/TA04-174A.html

Note : These are specific to vsnprintf calls not HP-UX. Anyways, worth reading

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎03-01-2006 02:48 AM

‎03-01-2006 02:48 AM

Re: vsnprintf call on HPUX

Can anybody tell me the functional issues of "vsnprintf" call on HPUX.
Regards,
You need to know a lot to actually know how little you know
0 Kudos
Reply
Sandman!
Honored Contributor

‎03-01-2006 05:01 AM

‎03-01-2006 05:01 AM

Re: vsnprintf call on HPUX

Bharat,

Here's the manual page of vsnprintf...hope it helps.

http://devrsrc1.external.hp.com/STK/cgi-bin/man2html?debug=0&manpage=/usr/share/man/man3.Z/vsnprintf.3s

OR

man 3s vsnprintf

cheers!
0 Kudos
Reply
Gregory Fruth
Esteemed Contributor

‎03-01-2006 10:14 AM

‎03-01-2006 10:14 AM

Re: vsnprintf call on HPUX

vsnprintf is the buffer overflow protected
version of vprintf/vfprintf/vsprintf,
which in turn are the variable argument
versions of printf/fprintf/sprintf. See
"man stdarg" for information on variable
arguments.

The known issues in vsnprintf are listed
in the patch database on the ITRC. If you
have some problem that's not covered by
the patches then you should file a support
request. Or perhaps you could at least
describe what problem you think you're
having with vsnprintf.
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎03-01-2006 03:14 PM

‎03-01-2006 03:14 PM

Re: vsnprintf call on HPUX

Hi Bharat,

As per HP Doc, the vsnprintf() and snprintf() were first added to "libc" in HPUX 11.00
I haven't heard/read about any issue with vsnprintf(). Since I haven't used it so far, I can't comment on funcational issues. But I feel having latest "libc" and security patches on the system would be good to go.

Would you mind sharing the issue you heard about it?

As far as I know, HP doesn't have a separate website/link to maintain or rather "show" known problem/bugs and their resolution details etc.
However, you could see bugs details in patch database having SR and CR for a HPUX entity.

I personally feel, HP should have such thing in place for known Bugs so their customer would be aware of them. This would add in HP's efforts to share information through their websites as they always do remarkably well than other OEMs. I know Sun and Oracle do maintain such details at their support websites so why not HP?
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎03-01-2006 03:17 PM

‎03-01-2006 03:17 PM

Re: vsnprintf call on HPUX

Hi Bharat,

Something to add-on, if you would like to search for any vulnerability issues, best place to go is http://www.cert.org/ Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

Also, http://secunia.com/ provides with some good information. I used to subscribe newsletter from these sites once a week for any bugs/security holes in Unix and other apps.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎03-01-2006 04:57 PM

‎03-01-2006 04:57 PM

Re: vsnprintf call on HPUX

Thanks a lot everybody for your responses.
Actually my problem is:

We have written a program that makes use of vsnprintf to convert a list variable number of arguments using a format specifier into a string buffer. The moment the control reach to vsnprintf line the program exits with SIGBUS.
We are sure about the rest of code part and we surely doubt about vcsnprinf call and suspect a BUG in that.

So my question is whether there are any known BUG's against vsnprintf regarding SIGBUS.

Sorry for not sharing this initially since i was not aware of it exactly.

Waiting for your valuable suggestion.

Thanks a lot for your time and conern.

Regards,
Bharat
You need to know a lot to actually know how little you know
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎03-01-2006 06:09 PM

‎03-01-2006 06:09 PM

Re: vsnprintf call on HPUX

Hi,

Since the program is giving SIGBUS, it may not be problem with vsnprintf() but with memory address alignment. Signal "SIGBUS" indicates an access to an invalid memory address.
Are you sure correct arguments being passed to vsnprintf() as defined in "stdarg.h"?

I would suggest to debug the program using gdb/wdb and check for stack trace.

Did it create "core" file? If yes, what you see in
# file core
# what core

By the way, what's environment in picture?
OS version , Server , complier , patch status?
0 Kudos
Reply
Gregory Fruth
Esteemed Contributor

‎03-02-2006 06:23 AM

‎03-02-2006 06:23 AM

Re: vsnprintf call on HPUX

Make sure the 4th argument to vsnprintf
is of type va_list and that you are
properly initializing it using va_start.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-02-2006 06:57 AM

‎03-02-2006 06:57 AM

Re: vsnprintf call on HPUX

HP maintains a complete buglist in the form of it's patch database. Just go to this website:

http://www1.itrc.hp.com/service/patch/search.do?admit=-682735245+1141329023001+28353475&BC=patch.breadcrumb.main%7C&pageContextName=hpux%3A%3A%3A

Select the version of HP-UX and then search for the keyword(s). All patches (and detailed descriptions of the problems that were fixed) are available from this website. To search all documents for vsnprintf, go to the ITRC main website at itrc.hp.com and select the knowledge base. Then search for vsnprintf to see lots of documents.


Bill Hassell, sysadmin
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎03-02-2006 05:20 PM

‎03-02-2006 05:20 PM

Re: vsnprintf call on HPUX

Bill, the link doesn't help.
It is just not listing anything related to vsnprintf.
Thanks,
Bharat

Note: There are no patches available that match the search criteria.

step 1: Select hardware and OS: 800 11.23

step 2: How would you like to search?
Search by Keyword: vsnprintf

step 3: Search Criteria all words any word exact phrase boolean

step 4: Results per page: 25

You need to know a lot to actually know how little you know
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎03-02-2006 05:34 PM

‎03-02-2006 05:34 PM

Solution

Re: vsnprintf call on HPUX

Hi Bharat,

Just a thought, Instead of searching the patch list, You can try with the main search box at the top.

http://www1.itrc.hp.com/service/james/search.do?searchtext=vsnprintf&submit.x=0&submit.y=0&hpl=1&todo=search&searchcriteria=allwords&from=other&searchcategory=ALL&rn=25&presort=rank&source=7000&esc=us-support.external.hp.com&wpa=www1.itrc.hp.com%3A80&origin=0&chkServStor=on

Even, i tried with patch search, didnt get any information. But, when you try with generic search, you get a lot of pages with "vsnprintf"

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Reply
Bharat Katkar
Honored Contributor

‎03-02-2006 06:42 PM

‎03-02-2006 06:42 PM

Re: vsnprintf call on HPUX

Gregory I am just verifying your suggestion and hence put on hold your point assignment. May be turn out to be an RABBIT response. :)

Arun that link really helped.
We will go through it and let you know in case we find anything.

Thanks and regards,
Bharat
You need to know a lot to actually know how little you know
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎03-05-2006 06:25 PM

‎03-05-2006 06:25 PM

Re: vsnprintf call on HPUX

Hi friends,

Still not able to find anything specific. :(
Would like hear more on this.

Thanks a lot again.

Regards,
Bharat
You need to know a lot to actually know how little you know
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎03-06-2006 05:49 PM

‎03-06-2006 05:49 PM

Re: vsnprintf call on HPUX

If you don't have a support contract you can only search the knowledge database for fixed problems in patches.

The only bugs I see are:
JAGaf80770: vsnprintf and snprintf return doesn't conform to C99
JAGaf47646: with small buffer vsnprintf always returns -1

And they don't mention signal 10.
So, as Sameer suggests, you need to go into a debugger and debug the input to vsnprintf, if it is really aborting there.
Reply
Gregory Fruth
Esteemed Contributor

‎03-07-2006 05:37 AM

‎03-07-2006 05:37 AM

Re: vsnprintf call on HPUX

If you are up to date on patches and
still have the problem then perhaps
you ought to submit a call to the HP
support center. If you do not have an
HP support contract then maybe you ought
to post the offending snippet of code
so that someone might be able to help.
It would help if you reduced the code
to the minimum required to reproduce
the error.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.