timed contains buffer overflows, and more
Douwe Kiela
virtus at wanadoo.nl
Tue Aug 31 01:41:12 PDT 2004
Yet another patch...
Alright, I decided to go through the LEGACY functions one-by-one.. ftime()
isn't found anywhere in the source code, however, cftime() is, of which the
manual states:
The cftime() and ascftime() functions are made obsolete by strftime(3).
Use of the functions cftime() and ascftime() is strongly deprecated,
since there is no way to check for a buffer overflow condition. Use
strftime(3) instead.
some of the files that I came across cftime() in belong to the timed daemon.
While checking the code I found buffer overflows all over the place, just as
ambigious (void) casts aswell as #ifdef's that should have been removed
century's ago. These #ifdef's contained the calls to cftime() which is part
of some ancient SGI log message generation system. You can find the
(somewhat huge) patch here:
http://leaf.dragonflybsd.org/~virtus/timed.diff
Here is the commit message:
----
Changes:
* Remove the #ifdef sgi code which mostly contains SGI specific log messages
* In removing the #ifdef sgi included code remove all non-standard cftime()
occurences
* Replace all occurences of strcpy by the safe strlcpy where needed
* Replace all occurences of strncpy by the safer strlcpy where needed
* Avoid WARNS=2 error by renaming 'print' variable into 'printerr' to avoid
collision with the print() function in the same program (obtained from
NetBSD)
* Avoid WARNS=2 error by renaming 'adjtime' variable into 'adjusttime' to
avoid collisions with the adjtime() function in the same program (obtained
from NetBSD)
While being here, also:
* Some minor cleanups
* Remove all ambigious (void) casts
----
I checked this, and it compiles fine. So it's a comit-to-go, I reckon ;-).
I hope anyone has time to commit this..
Regards,
Douwe Kiela
More information about the Submit
mailing list