Date: Wed, 24 Nov 1999 09:50:52 +0200 (SAT) From: John Hay <jhay@mikom.csir.co.za> To: green@FreeBSD.ORG (Brian Fundakowski Feldman) Cc: current@FreeBSD.ORG Subject: Re: Overflow in banner(1) Message-ID: <199911240750.JAA96874@zibbi.mikom.csir.co.za> In-Reply-To: <Pine.BSF.4.10.9911240033221.40905-100000@green.dyndns.org> from Brian Fundakowski Feldman at "Nov 24, 1999 00:44:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Hmmm, but now that you have changed message to be a pointer, the sizeof(message) at the end of the patch will return the size of a pointer which is 4 and probably not what you want. :-) I think we should be carefull when we make our security fixes so that we don't introduce new bugs, which was also the problem that I had the other day with doscmd. John -- John Hay -- John.Hay@mikom.csir.co.za > I'd prefer something like this that I've attached. The move over the > years has been away from artificial limits... > > -- > Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > green@FreeBSD.org `------------------------------' > > > Index: banner.c > =================================================================== > RCS file: /usr2/ncvs/src/usr.bin/banner/banner.c,v > retrieving revision 1.6 > diff -u -r1.6 banner.c > --- banner.c 1999/04/19 04:05:25 1.6 > +++ banner.c 1999/11/24 05:41:35 > @@ -1018,7 +1018,7 @@ > }; > > char line[DWIDTH]; > -char message[MAXMSG]; > +char *message; > char print[DWIDTH]; > int debug, i, j, linen, max, nchars, pc, term, trace, x, y; > int width = DWIDTH; /* -w option: scrunch letters to 80 columns */ > @@ -1058,14 +1058,24 @@ > > /* Have now read in the data. Next get the message to be printed. */ > if (*argv) { > - strcpy(message, *argv); > + message = strdup(*argv); > + if (message == NULL) > + err(1, "strdup"); > while (*++argv) { > - strcat(message, " "); > - strcat(message, *argv); > + char *omessage; > + > + omessage = message; > + asprintf(&message, "%s %s", message, *argv); > + if (message == NULL) > + err(1, "asprintf"); > + free(omessage); > } > nchars = strlen(message); > } else { > fprintf(stderr,"Message: "); > + message = malloc(MAXMSG); > + if (message == NULL) > + err(1, "malloc"); > (void)fgets(message, sizeof(message), stdin); > nchars = strlen(message); > message[nchars--] = '\0'; /* get rid of newline */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911240750.JAA96874>