From owner-freebsd-security  Fri Sep  1 00:01:28 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA19367
          for security-outgoing; Fri, 1 Sep 1995 00:01:28 -0700
Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id AAA19361
          for <freebsd-security@freebsd.org>; Fri, 1 Sep 1995 00:01:25 -0700
Received: from post.demon.co.uk by disperse.demon.co.uk id aa08780;
          1 Sep 95 7:45 +0100
Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa26204;
          1 Sep 95 7:42 +0100
Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id HAA08351; Fri, 1 Sep 1995 07:43:00 +0100
From: Karl Strickland <karl@bagpuss.demon.co.uk>
Message-Id: <199509010643.HAA08351@bagpuss.demon.co.uk>
Subject: Re: Eric Allman's syslog.c fixes
To: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
Date: Fri, 1 Sep 1995 07:42:59 +0100 (BST)
Cc: peter@haywire.dialix.com, freebsd-security@freebsd.org,
        eric@cs.berkeley.edu
In-Reply-To: <199508312137.OAA12750@gndrsh.aac.dev.com> from "Rodney W. Grimes" at Aug 31, 95 02:37:49 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1317      
Sender: security-owner@freebsd.org
Precedence: bulk

> 
> > 
> > Eric Allman is running a new syslog.c through the mill at the
> > moment. It'll be the one published in the RSN CERT advisory I presume.
> > 
> > It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and
> > the only holdup is portability to other OS's.
> > 
> > I keep a pretty close eye on this area, as it's sendmail related.  Is
> > it worth bringing in the currently 'endorsed' version, and updating it
> > to the CERT version if there are any changes later?
> 
> Yes, that would give Eric additional test data and eyes looking at
> the solution.

I think that the fmt string should also be bounds checked - there is still
no bounds check on the copy from the user supplied fmt string into the
internal buffer.  Having said that, Im not aware of anything that lets
the user mess with the fmt string, but I think it makes sense to fix it
at this point.

Other than that, it looks good to me -- I did a make world (yes i know
its extreme :)) with it and its been going without problems for > 24 hours..

-- 
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl@bagpuss.demon.co.uk
                                          |