On Aug 29,  1:55pm, Charles Hannum wrote:
} Subject: Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machine
} Your original patch has a couple of problems; mainly, `p' can still
} overrun the end of the buffer, and thus more bytes are output than
} should be.  In addition, the old special-case handling of `%m' is
} annoying; it really should be done in vsnprintf().

You both missed the potential buffer overflow in the LOG_CONS case
when "\r\n" is appended to the buffer.

Also, if your using Chris Torek's stdio package, rather than calling
snprintf() and vsnprintf() and manually keeping track of the end of
the buffer, why don't you do call fprintf() and vfprintf() directly the
same way as snprintf() and friends do.  This cleans up the code in
syslog() quite a bit.  And since the only version of snprintf() that
I've seen that doesn't ignore its size argument assumes a Torek style
stdio package ...

			---  Truck