From owner-freebsd-security Tue Sep 21 13:46:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id EB44B14F39; Tue, 21 Sep 1999 13:45:09 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA02190; Tue, 21 Sep 1999 14:45:08 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA27505; Tue, 21 Sep 1999 14:44:40 -0600 (MDT) Message-Id: <199909212044.OAA27505@harmony.village.org> To: Ben Smithurst Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd Cc: FreeBSD Security Officer , security@freebsd.org In-reply-to: Your message of "Tue, 21 Sep 1999 20:17:03 BST." <19990921201703.C17788@lithium.scientia.demon.co.uk> References: <19990921201703.C17788@lithium.scientia.demon.co.uk> <199909210214.UAA22243@harmony.village.org> Date: Tue, 21 Sep 1999 14:44:40 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990921201703.C17788@lithium.scientia.demon.co.uk> Ben Smithurst writes: : FreeBSD Security Officer wrote: : : > + /* : > + * XXX: ptr is 1024 bytes long. It is possible to write into it : > + * more than 1024 bytes, if efmt is already large, and vargs expand : > + * as well. : > + */ : > vsprintf(ptr, efmt, vargs); : > + msg[1023] = '\0'; /* null terminate, to be sure */ : : This may be a stupid question, but why not just replace the last two lines : with : : vsnprintf(ptr, 1024, efmt, vargs); : : ? That would actually be safer. Since the former does overflow. Damn. I hate it when patches I thought I'd reviewed come up with things like this :-( Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message