timed contains buffer overflows, and more

Matthew Dillon dillon at apollo.backplane.com
Fri Sep 3 11:07:02 PDT 2004


:Yet another patch...
:
:Alright, I decided to go through the LEGACY functions one-by-one.. ftime()
:isn't found anywhere in the source code, however, cftime() is, of which the
:manual states:
:
:     The cftime() and ascftime() functions are made obsolete by strftime(3).
:
:     Use of the functions cftime() and ascftime() is strongly deprecated,
:     since there is no way to check for a buffer overflow condition.  Use
:     strftime(3) instead.
:
:some of the files that I came across cftime() in belong to the timed daemon.
:While checking the code I found buffer overflows all over the place, just as
:ambigious (void) casts aswell as #ifdef's that should have been removed
:century's ago. These #ifdef's contained the calls to cftime() which is part
:of some ancient SGI log message generation system. You can find the
:(somewhat huge) patch here:
:
:http://leaf.dragonflybsd.org/~virtus/timed.diff

    I'm going through these now but I would like to request that you not
    separate declaration/assignment combinations in future multi-change patch
    sets.

    e.g. don't change 'int x = 4; to 'int x; ..... x = 4;' when its part
    of a larger patch set.  It takes a long time to verify that those
    assignment breakups are correct relative to the short time it takes
    to simply check the (void) removals and strcpy->strlcpy changes and 
    such.  And it doesn't add enough value to the patch.  There are 
    millions of declaration/assignments combos in the source tree.  

						-Matt





More information about the Submit mailing list