Date: Wed, 10 Jul 2019 19:06:25 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Alexey Dokuchaev <danfe@freebsd.org> Cc: Philip Paeps <philip@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <201907110206.x6B26PUu013164@slippy.cwsent.com> In-Reply-To: Message from Alexey Dokuchaev <danfe@freebsd.org> of "Thu, 11 Jul 2019 01:47:29 -0000." <20190711014729.GB23621@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20190711014729.GB23621@FreeBSD.org>, Alexey Dokuchaev writes: > On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > > New Revision: 349890 > > URL: https://svnweb.freebsd.org/changeset/base/349890 > > > > Log: > > telnet: fix a couple of snprintf() buffer overflows > > > > Modified: head/contrib/telnet/telnet/commands.c > > @@ -1655,10 +1655,11 @@ env_init(void) > > char hbuf[256+1]; > > char *cp2 = strchr((char *)ep->value, ':'); > > > > - gethostname(hbuf, 256); > > - hbuf[256] = '\0'; > > - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); > > - sprintf((char *)cp, "%s%s", hbuf, cp2); > > Would it make sense to add something like __attribute__ ((deprecated)) > to those unsafe functions like gets(), sprintf(), etc.? Or it would > cause too much PITA? sprintf() is not deprecated (https://en.cppreference.com/w/c/io/fprintf) . gets() is removed in C11 (https://en.cppreference.com/w/c/io/gets), replaced by gets_s(). We already have gets_s(). We need printf_s(), sprintf_s() and snprintf_s(). -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907110206.x6B26PUu013164>