From owner-freebsd-security  Tue Sep 21 13:29: 6 1999
Delivered-To: freebsd-security@freebsd.org
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5F13D158B3; Tue, 21 Sep 1999 13:27:43 -0700 (PDT)
	(envelope-from ben@scientia.demon.co.uk)
Received: from lithium.scientia.demon.co.uk ([192.168.0.3] ident=exim)
	by scientia.demon.co.uk with esmtp (Exim 3.032 #1)
	id 11TVPU-0004rJ-00; Tue, 21 Sep 1999 20:17:04 +0100
Received: (from ben) by lithium.scientia.demon.co.uk (Exim 3.032 #1)
	id 11TVPT-0004sM-00; Tue, 21 Sep 1999 20:17:03 +0100
Date: Tue, 21 Sep 1999 20:17:03 +0100
From: Ben Smithurst <ben@scientia.demon.co.uk>
To: FreeBSD Security Officer <security-officer@freebsd.org>
Cc: security@freebsd.org
Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd
Message-ID: <19990921201703.C17788@lithium.scientia.demon.co.uk>
References: <199909210214.UAA22243@harmony.village.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <199909210214.UAA22243@harmony.village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

FreeBSD Security Officer wrote:

>     +  /*
>     +   * XXX: ptr is 1024 bytes long.  It is possible to write into it
>     +   * more than 1024 bytes, if efmt is already large, and vargs expand
>     +   * as well.
>     +   */
>        vsprintf(ptr, efmt, vargs);
>     +  msg[1023] = '\0';		/* null terminate, to be sure */

This may be a stupid question, but why not just replace the last two lines
with

	vsnprintf(ptr, 1024, efmt, vargs);

?

-- 
Ben Smithurst            | PGP: 0x99392F7D
ben@scientia.demon.co.uk |   key available from keyservers and
                         |   ben+pgp@scientia.demon.co.uk


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message