Date: Wed, 24 Nov 1999 09:50:52 +0200 (SAT) From: John Hay <jhay@mikom.csir.co.za> To: green@FreeBSD.ORG (Brian Fundakowski Feldman) Cc: current@FreeBSD.ORG Subject: Re: Overflow in banner(1) Message-ID: <199911240750.JAA96874@zibbi.mikom.csir.co.za> In-Reply-To: <Pine.BSF.4.10.9911240033221.40905-100000@green.dyndns.org> from Brian Fundakowski Feldman at "Nov 24, 1999 00:44:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Hmmm, but now that you have changed message to be a pointer, the
sizeof(message) at the end of the patch will return the size of
a pointer which is 4 and probably not what you want. :-)
I think we should be carefull when we make our security fixes so
that we don't introduce new bugs, which was also the problem that
I had the other day with doscmd.
John
--
John Hay -- John.Hay@mikom.csir.co.za
> I'd prefer something like this that I've attached. The move over the
> years has been away from artificial limits...
>
> --
> Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
> green@FreeBSD.org `------------------------------'
>
>
> Index: banner.c
> ===================================================================
> RCS file: /usr2/ncvs/src/usr.bin/banner/banner.c,v
> retrieving revision 1.6
> diff -u -r1.6 banner.c
> --- banner.c 1999/04/19 04:05:25 1.6
> +++ banner.c 1999/11/24 05:41:35
> @@ -1018,7 +1018,7 @@
> };
>
> char line[DWIDTH];
> -char message[MAXMSG];
> +char *message;
> char print[DWIDTH];
> int debug, i, j, linen, max, nchars, pc, term, trace, x, y;
> int width = DWIDTH; /* -w option: scrunch letters to 80 columns */
> @@ -1058,14 +1058,24 @@
>
> /* Have now read in the data. Next get the message to be printed. */
> if (*argv) {
> - strcpy(message, *argv);
> + message = strdup(*argv);
> + if (message == NULL)
> + err(1, "strdup");
> while (*++argv) {
> - strcat(message, " ");
> - strcat(message, *argv);
> + char *omessage;
> +
> + omessage = message;
> + asprintf(&message, "%s %s", message, *argv);
> + if (message == NULL)
> + err(1, "asprintf");
> + free(omessage);
> }
> nchars = strlen(message);
> } else {
> fprintf(stderr,"Message: ");
> + message = malloc(MAXMSG);
> + if (message == NULL)
> + err(1, "malloc");
> (void)fgets(message, sizeof(message), stdin);
> nchars = strlen(message);
> message[nchars--] = '\0'; /* get rid of newline */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911240750.JAA96874>