I found the following bug in SCO Unix 3.2.* and I think it may be common
to many AT&T derived Unixes.
sscanf() calls _doscan() to read from a pretend file. The file
uses the string as a buffer and a fake file descriptor of 60 (=_NFILE).
Since _NFILE (for SCO UNIX) is 60 it assumes that fd 60 can never be open.
Then when fscanf() hits the end of the string it calls _filbuf() to read
into the buffer (which is the string) from fd 60. This should fail with
an errno=9 and then _filbuf() sets EOF and it all terminates.
However in SCO Unix you can reconfigure the kernel to increase the number
of files per process to a recommended maximum of 150. If you do this then
your program might have fd 60 open one day. Then sscanf() will read from this
file overwriting your string. The byte count to the read() in _filbuf()
is some undefined but large value so a lot of memory will be overwritten. In
my case the string was on the stack so my stack was wiped.
In short if you configure your kernel to have NOFILES > _NFILE ie more than
the default then sscanf() is a time bomb in your code.
I noticed that Pyramid's OS has the same code in sscanf() and _filbuf().
HPUX however has a special flag to indicate pretend files for _doscan().
Computer Power Group, R&D
19 Cato St., East Hawthorn, Vic
Anthony Shipman "You've got to be taught before it's too late,
CP Software Export Pty Ltd, Before you are six or seven or eight,
19 Cato St., East Hawthorn, To hate all the people your relatives hate,
Melbourne, Australia, 3121 You've got to be carefully taught." R&H