timed contains buffer overflows, and more

Douwe Kiela virtus at wanadoo.nl
Tue Aug 31 01:41:12 PDT 2004


Yet another patch...

Alright, I decided to go through the LEGACY functions one-by-one.. ftime()
isn't found anywhere in the source code, however, cftime() is, of which the
manual states:

     The cftime() and ascftime() functions are made obsolete by strftime(3).

     Use of the functions cftime() and ascftime() is strongly deprecated,
     since there is no way to check for a buffer overflow condition.  Use
     strftime(3) instead.

some of the files that I came across cftime() in belong to the timed daemon.
While checking the code I found buffer overflows all over the place, just as
ambigious (void) casts aswell as #ifdef's that should have been removed
century's ago. These #ifdef's contained the calls to cftime() which is part
of some ancient SGI log message generation system. You can find the
(somewhat huge) patch here:

http://leaf.dragonflybsd.org/~virtus/timed.diff

Here is the commit message:
----
Changes:
* Remove the #ifdef sgi code which mostly contains SGI specific log messages
* In removing the #ifdef sgi included code remove all non-standard cftime()
occurences
* Replace all occurences of strcpy by the safe strlcpy where needed
* Replace all occurences of strncpy by the safer strlcpy where needed
* Avoid WARNS=2 error by renaming 'print' variable into 'printerr' to avoid
collision with the print() function in the same program (obtained from
NetBSD)
* Avoid WARNS=2 error by renaming 'adjtime' variable into 'adjusttime' to
avoid collisions with the adjtime() function in the same program (obtained
from NetBSD)

While being here, also:
* Some minor cleanups
* Remove all ambigious (void) casts
----

I checked this, and it compiles fine. So it's a comit-to-go, I reckon ;-).

I hope anyone has time to commit this..

Regards,
Douwe Kiela






More information about the Submit mailing list