-----BEGIN PGP SIGNED MESSAGE----- Index: xutil.c =================================================================== RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- xutil.c 1999/01/13 19:20:33 1.1.1.3 +++ xutil.c 1999/08/25 18:59:39 1.1.1.3.2.1 @@ -272,16 +272,18 @@ /* * Take a log format string and expand occurrences of %m - * with the current error code taken from errno. + * with the current error code taken from errno. Make sure + * 'e' never gets longer than maxlen characters. */ static void -expand_error(char *f, char *e) +expand_error(char *f, char *e, int maxlen) { extern int sys_nerr; - char *p; + char *p, *q; int error = errno; + int len = 0; - for (p = f; (*e = *p); e++, p++) { + for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) { if (p[0] == '%' && p[1] == 'm') { const char *errstr; if (error < 0 || error >= sys_nerr) @@ -289,13 +291,15 @@ else errstr = sys_errlist[error]; if (errstr) - strcpy(e, errstr); + strcpy(q, errstr); else - sprintf(e, "Error %d", error); - e += strlen(e) - 1; + sprintf(q, "Error %d", error); + len += strlen(q) - 1; + q += strlen(q) - 1; p++; } } + e[maxlen-1] = '\0'; /* null terminate, to be sure */ } @@ -401,9 +405,15 @@ checkup_mem(); #endif /* DEBUG_MEM */ - expand_error(fmt, efmt); + expand_error(fmt, efmt, 1024); + /* + * XXX: ptr is 1024 bytes long. It is possible to write into it + * more than 1024 bytes, if efmt is already large, and vargs expand + * as well. + */ vsprintf(ptr, efmt, vargs); + msg[1023] = '\0'; /* null terminate, to be sure */ ptr += strlen(ptr); if (ptr[-1] == '\n') Index: amq_subr.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- amq_subr.c 1999/01/13 20:03:54 1.3 +++ amq_subr.c 1999/09/07 23:07:03 1.4 @@ -204,11 +204,24 @@ int * amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp) { - static int rc; - char *s = *(amq_string *) argp; + static int rc = EINVAL; + char s[AMQ_STRLEN]; char *cp; + char dq[20]; + struct sockaddr_in *sin; + + if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) { + plog(XLOG_ERROR, "amu_svc_getcaller returned NULL"); + return &rc; + } + + strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1); + s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */ + plog(XLOG_ERROR, + "amq requested mount of %s from %s.%d", + s, inet_dquad(dq, sin->sin_addr.s_addr), + ntohs(sin->sin_port)); - plog(XLOG_INFO, "amq requested mount of %s", s); /* * Minimalist security check. */ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN+VNOVUuHi5z0oilAQGELgP/aMopeczE5TqvOVnNQCpv2dWX8klnFEhn K2TVhpLw0HoJHASWEtalMznxCLe/CzAdw/NmYiqrKeletHL1tfclbbS1+TLPW7tB p2iN5iQQfaczD95fJip7St4hrPxgSE/kvIHa92YAoa6i1A1JOsM5o5tlUC4kJiiY n/ORSJvPlb0= =APcV -----END PGP SIGNATURE-----