Date: Mon, 13 Jan 1997 21:17:04 +1100 From: Bruce Evans <bde@zeta.org.au> To: davidn@unique.usn.blaze.net.au, joerg_wunsch@uriah.heep.sax.de Cc: hackers@FreeBSD.org Subject: Re: unused variable in su Message-ID: <199701131017.VAA14907@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>> Still, it's fairly obfuscated code. It could be better worded: > >IMHO, it is fine (and yes, it should be strncpy()). Using the return It should be strdup(). Using strncpy() or snprintf() to handle buffer overflows by truncating the string is sloppy. >> Btw., shouldn't it better be a strncpy() anyway? Sure, /etc/shells is >> at the mercy of the sysadmin, but he isn't unfailable. > >It is /etc/master.passwd in this case, but what you say is still true. >In a setuid binary no less, but fortunately no "return" anywhere in >main(). It may be possible to clear the variable `ruid' by overwriting the first byte of it with the terminating null... Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701131017.VAA14907>