Date: Mon, 10 Nov 2008 11:11:52 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Kostik Belousov <kostikbel@gmail.com> Cc: svn-src-head@freebsd.org, Matteo Riondato <matteo@freebsd.org>, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r184779 - head/usr.sbin/cron/crontab Message-ID: <86wsfb51qv.fsf@ds4.des.no> In-Reply-To: <20081109132026.GL18100@deviant.kiev.zoral.com.ua> (Kostik Belousov's message of "Sun, 9 Nov 2008 15:20:26 %2B0200") References: <200811090644.mA96ira1032670@svn.freebsd.org> <20081109132026.GL18100@deviant.kiev.zoral.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Kostik Belousov <kostikbel@gmail.com> writes:
> Matteo Riondato <matteo@freebsd.org> writes:
> > - (void) sprintf(n, CRON_TAB(User));
> > + (void) snprintf(n, sizeof(n), CRON_TAB(User));
> This note is probably also about paranoia instead of exploitable bug.
> I think that it is better to use %s format explicitely instead of
> expecting no '%' in the CRON_TAB(User).
Better still would be to replace the vile CRON_TAB() macro with a
function:
static inline int
cron_tab(char *str, size_t len, const char *user)
{
return (snprintf(str, len, "%s/%s", SPOOL_DIR, user))
}
DES
--
Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wsfb51qv.fsf>