Date: Thu, 11 Jul 2019 01:47:29 +0000 From: Alexey Dokuchaev <danfe@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190711014729.GB23621@FreeBSD.org> In-Reply-To: <201907101742.x6AHg4os016752@repo.freebsd.org> References: <201907101742.x6AHg4os016752@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > New Revision: 349890 > URL: https://svnweb.freebsd.org/changeset/base/349890 > > Log: > telnet: fix a couple of snprintf() buffer overflows > > Modified: head/contrib/telnet/telnet/commands.c > @@ -1655,10 +1655,11 @@ env_init(void) > char hbuf[256+1]; > char *cp2 = strchr((char *)ep->value, ':'); > > - gethostname(hbuf, 256); > - hbuf[256] = '\0'; > - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); > - sprintf((char *)cp, "%s%s", hbuf, cp2); Would it make sense to add something like __attribute__ ((deprecated)) to those unsafe functions like gets(), sprintf(), etc.? Or it would cause too much PITA? ./danfe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190711014729.GB23621>