[src/trunk]: src/usr.sbin/amd/libamu In real_plog() change vsprintf() to vsnp...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/cae22246ab17
branches:  trunk
changeset: 480551:cae22246ab17
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sat Jan 15 15:51:54 2000 +0000

description:
In real_plog() change vsprintf() to vsnprintf() to be sure we'll never overflow
msg[]. I didn't check all the plog() call so I don't know if this overflow
is possible by a non-root user or not.
Suggested by Zdenek Salvet <salvet%ics.muni.cz@localhost> a looong time ago.

diffstat:

 usr.sbin/amd/libamu/xutil.c |  13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diffs (28 lines):

diff -r 8e89a5f89ae1 -r cae22246ab17 usr.sbin/amd/libamu/xutil.c
--- a/usr.sbin/amd/libamu/xutil.c       Sat Jan 15 15:04:21 2000 +0000
+++ b/usr.sbin/amd/libamu/xutil.c       Sat Jan 15 15:51:54 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xutil.c,v 1.4 1999/09/04 22:38:19 christos Exp $       */
+/*     $NetBSD: xutil.c,v 1.5 2000/01/15 15:51:54 bouyer Exp $ */
 
 /*
  * Copyright (c) 1997-1999 Erez Zadok
@@ -425,12 +425,13 @@
   expand_error(fmt, efmt, 1024);
 
   /*
-   * XXX: ptr is 1024 bytes long.  It is possible to write into it
-   * more than 1024 bytes, if efmt is already large, and vargs expand
-   * as well.
+   * XXX: ptr is 1024 bytes long, but we may write to ptr[strlen(ptr) + 2]
+   * (to add an '\n', see code below) so we have to limit the string copy
+   * to 1023 (including the '\0').
+   * 
    */
-  vsprintf(ptr, efmt, vargs);
-  msg[1023] = '\0';            /* null terminate, to be sure */
+  vsnprintf(ptr, 1023, efmt, vargs);
+  msg[1022] = '\0';            /* null terminate, to be sure */
 
   ptr += strlen(ptr);
   if (ptr[-1] == '\n')