From owner-freebsd-current Tue Nov 23 23:54: 8 1999 Delivered-To: freebsd-current@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 96DDD1501B; Tue, 23 Nov 1999 23:53:35 -0800 (PST) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.9.3/8.9.3) id JAA96874; Wed, 24 Nov 1999 09:50:52 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <199911240750.JAA96874@zibbi.mikom.csir.co.za> Subject: Re: Overflow in banner(1) In-Reply-To: from Brian Fundakowski Feldman at "Nov 24, 1999 00:44:11 am" To: green@FreeBSD.ORG (Brian Fundakowski Feldman) Date: Wed, 24 Nov 1999 09:50:52 +0200 (SAT) Cc: current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hmmm, but now that you have changed message to be a pointer, the sizeof(message) at the end of the patch will return the size of a pointer which is 4 and probably not what you want. :-) I think we should be carefull when we make our security fixes so that we don't introduce new bugs, which was also the problem that I had the other day with doscmd. John -- John Hay -- John.Hay@mikom.csir.co.za > I'd prefer something like this that I've attached. The move over the > years has been away from artificial limits... > > -- > Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > green@FreeBSD.org `------------------------------' > > > Index: banner.c > =================================================================== > RCS file: /usr2/ncvs/src/usr.bin/banner/banner.c,v > retrieving revision 1.6 > diff -u -r1.6 banner.c > --- banner.c 1999/04/19 04:05:25 1.6 > +++ banner.c 1999/11/24 05:41:35 > @@ -1018,7 +1018,7 @@ > }; > > char line[DWIDTH]; > -char message[MAXMSG]; > +char *message; > char print[DWIDTH]; > int debug, i, j, linen, max, nchars, pc, term, trace, x, y; > int width = DWIDTH; /* -w option: scrunch letters to 80 columns */ > @@ -1058,14 +1058,24 @@ > > /* Have now read in the data. Next get the message to be printed. */ > if (*argv) { > - strcpy(message, *argv); > + message = strdup(*argv); > + if (message == NULL) > + err(1, "strdup"); > while (*++argv) { > - strcat(message, " "); > - strcat(message, *argv); > + char *omessage; > + > + omessage = message; > + asprintf(&message, "%s %s", message, *argv); > + if (message == NULL) > + err(1, "asprintf"); > + free(omessage); > } > nchars = strlen(message); > } else { > fprintf(stderr,"Message: "); > + message = malloc(MAXMSG); > + if (message == NULL) > + err(1, "malloc"); > (void)fgets(message, sizeof(message), stdin); > nchars = strlen(message); > message[nchars--] = '\0'; /* get rid of newline */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message