NetBSD/libexec/talkd
itojun 89b1e287f7 find_user() in process.c does an unbounded copy into a destination
buffer that is smaller in size than the source buffer.

also, there is no guarantee that any of the string components of
the request packet are null terminated.

in some cases, not all elements of the response buffer are
explicitly set. specifically pad and addr. a talk client can spy to
see which host is talking to which host by sending out regular
packets, to which talkd responds without clearing the addr element.

from xs@kittenz.org
2002-09-19 14:39:51 +00:00
..
Makefile use NETBSDSRCDIR as appropriate 2002-09-19 03:17:50 +00:00
announce.c
extern.h find_user() in process.c does an unbounded copy into a destination 2002-09-19 14:39:51 +00:00
print.c
process.c find_user() in process.c does an unbounded copy into a destination 2002-09-19 14:39:51 +00:00
table.c
talkd.8
talkd.c find_user() in process.c does an unbounded copy into a destination 2002-09-19 14:39:51 +00:00