[src/netbsd-1-4]: src/usr.sbin/amd/libamu Pull up revision 1.5 (requested by ...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/0f79d14860fb
branches:  netbsd-1-4
changeset: 470178:0f79d14860fb
user:      he <he%NetBSD.org@localhost>
date:      Sun Jan 23 12:16:27 2000 +0000

description:
Pull up revision 1.5 (requested by bouyer):
  Check for buffer overflow in real_plog(), in case it could be
  called with a malicious string.  No known exploit, and it's
  not obvious it's possible.

diffstat:

 usr.sbin/amd/libamu/xutil.c |  13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diffs (28 lines):

diff -r 7001261ab266 -r 0f79d14860fb usr.sbin/amd/libamu/xutil.c
--- a/usr.sbin/amd/libamu/xutil.c       Sun Jan 23 12:10:09 2000 +0000
+++ b/usr.sbin/amd/libamu/xutil.c       Sun Jan 23 12:16:27 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xutil.c,v 1.3.2.1 1999/09/21 04:58:32 cgd Exp $        */
+/*     $NetBSD: xutil.c,v 1.3.2.2 2000/01/23 12:16:27 he Exp $ */
 
 /*
  * Copyright (c) 1997-1999 Erez Zadok
@@ -425,12 +425,13 @@
   expand_error(fmt, efmt, 1024);
 
   /*
-   * XXX: ptr is 1024 bytes long.  It is possible to write into it
-   * more than 1024 bytes, if efmt is already large, and vargs expand
-   * as well.
+   * XXX: ptr is 1024 bytes long, but we may write to ptr[strlen(ptr) + 2]
+   * (to add an '\n', see code below) so we have to limit the string copy
+   * to 1023 (including the '\0').
+   * 
    */
-  vsprintf(ptr, efmt, vargs);
-  msg[1023] = '\0';            /* null terminate, to be sure */
+  vsnprintf(ptr, 1023, efmt, vargs);
+  msg[1022] = '\0';            /* null terminate, to be sure */
 
   ptr += strlen(ptr);
   if (ptr[-1] == '\n')