Date: Tue, 21 Sep 1999 14:44:40 -0600 From: Warner Losh <imp@village.org> To: Ben Smithurst <ben@scientia.demon.co.uk> Cc: FreeBSD Security Officer <security-officer@freebsd.org>, security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd Message-ID: <199909212044.OAA27505@harmony.village.org> In-Reply-To: Your message of "Tue, 21 Sep 1999 20:17:03 BST." <19990921201703.C17788@lithium.scientia.demon.co.uk> References: <19990921201703.C17788@lithium.scientia.demon.co.uk> <199909210214.UAA22243@harmony.village.org>
index | next in thread | previous in thread | raw e-mail
In message <19990921201703.C17788@lithium.scientia.demon.co.uk> Ben Smithurst writes: : FreeBSD Security Officer wrote: : : > + /* : > + * XXX: ptr is 1024 bytes long. It is possible to write into it : > + * more than 1024 bytes, if efmt is already large, and vargs expand : > + * as well. : > + */ : > vsprintf(ptr, efmt, vargs); : > + msg[1023] = '\0'; /* null terminate, to be sure */ : : This may be a stupid question, but why not just replace the last two lines : with : : vsnprintf(ptr, 1024, efmt, vargs); : : ? That would actually be safer. Since the former does overflow. Damn. I hate it when patches I thought I'd reviewed come up with things like this :-( Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909212044.OAA27505>