From owner-freebsd-security Sat Oct 21 00:32:34 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id AAA08002 for security-outgoing; Sat, 21 Oct 1995 00:32:34 -0700 Received: from haywire.DIALix.COM (news@haywire.DIALix.COM [192.203.228.65]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA07363 for ; Sat, 21 Oct 1995 00:28:58 -0700 Received: (from news@localhost) by haywire.DIALix.COM (sendmail) id PAA08434 for freebsd-security@freebsd.org; Sat, 21 Oct 1995 15:26:23 +0800 (WST) Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-security@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-security@freebsd.org Date: 21 Oct 1995 15:08:40 +0800 From: peter@haywire.dialix.com (Peter Wemm) Message-ID: <46a69o$7de$1@haywire.DIALix.COM> Organization: DIALix Services, Perth, Australia. References: <199510200307.UAA15977@elite.net> Subject: Re: statustatus of syslog patch? Sender: owner-security@freebsd.org Precedence: bulk nate@elite.net (Nate Lawson) writes: >What is the status of the patch for the buffer overflow in syslog()? >I checked FreeBSD-current as of 10/19 and the sccs id still says: >"@(#)syslog.c 8.4 (Berkeley) 3/18/94" >Does anyone plan to integrate it into the source tree? If not, can someone >please send me a copy of syslog.c that safely and intelligently uses >snprintf to limit buffer overflows? >Thanks, >Nate >E. Admin Whoops. I forgot to add/change the file ID when I fixed it before. The FreeBSD version is (IMHO) better than the snprintf() version because it more efficiently checks for buffer overruns at every point that the buffer is written to, by way of the 4.4BSD specific fwopen() library call. -Peter