In real_plog() change vsprintf() to vsnprintf() to be sure we'll never overflow

msg[]. I didn't check all the plog() call so I don't know if this overflow
is possible by a non-root user or not.
Suggested by Zdenek Salvet <salvet@ics.muni.cz> a looong time ago.
This commit is contained in:
bouyer 2000-01-15 15:51:54 +00:00
parent 921c6acc0e
commit f0f0eba116

View File

@ -1,4 +1,4 @@
/* $NetBSD: xutil.c,v 1.4 1999/09/04 22:38:19 christos Exp $ */
/* $NetBSD: xutil.c,v 1.5 2000/01/15 15:51:54 bouyer Exp $ */
/*
* Copyright (c) 1997-1999 Erez Zadok
@ -425,12 +425,13 @@ real_plog(int lvl, char *fmt, va_list vargs)
expand_error(fmt, efmt, 1024);
/*
* XXX: ptr is 1024 bytes long. It is possible to write into it
* more than 1024 bytes, if efmt is already large, and vargs expand
* as well.
* XXX: ptr is 1024 bytes long, but we may write to ptr[strlen(ptr) + 2]
* (to add an '\n', see code below) so we have to limit the string copy
* to 1023 (including the '\0').
*
*/
vsprintf(ptr, efmt, vargs);
msg[1023] = '\0'; /* null terminate, to be sure */
vsnprintf(ptr, 1023, efmt, vargs);
msg[1022] = '\0'; /* null terminate, to be sure */
ptr += strlen(ptr);
if (ptr[-1] == '\n')