
This fixes potential buffer overflows, corrects getopt(3) usage (getopt(3) returns -1, not EOF these days), and adds another PCTS tweak to pass an arguably bogus test. The diff is reversed, sorry about that. ... --- time/localtime.c Mon Jan 13 20:17:09 1997 ... - if ((strlen(p) + strlen(name) + 2) >= sizeof fullname) + if ((strlen(p) + strlen(name) + 1) >= sizeof fullname) return -1; ...
There's a problem if the number of characters in a to-be-generated full file name (exclusive of the trailing '\0') equals or exceeds the size of the filename buffer. The number of characters (exclusive of the trailing '\0') is strlen(p) + strlen(name) + 1 (where the "1" is for the slash that separates the directory from the name) and the size of the filename buffer is sizeof fullname It looks to me as if the above test is correct; does anyone see something I've missed?
--- time/zdump.c Mon Jan 13 20:17:17 1997 ... (void) strncpy(buf, abbr(&tm), (sizeof buf) - 1); - buf[(sizeof buf) - 1] = '\0'; ... (void) strncpy(buf, abbr(&newtm), (sizeof buf) - 1); - buf[(sizeof buf) - 1] = '\0'; ... (void) strncpy(loab, abbr(&lotm), (sizeof loab) - 1); - loab[(sizeof loab) - 1] = '\0';
The strncpy's above all have static arrays as their destinations; since the static array's are initialized to '\0's, and since the strncpy's can't change the last positions in the arrays (given the "- 1"s in the strncpy arguments), the sets of the last elements to '\0' seem unneeded. Does anyone see something I've missed?
--- time/zic.c Wed Jan 15 16:41:36 1997 ... - while ((c = getopt(argc, argv, "d:l:p:L:vsy:")) != -1) + while ((c = getopt(argc, argv, "d:l:p:L:vsy:")) != EOF)
If anyone knows a good way of conditionalizing this (to cope with, for example, SunOS 4.1.1), I'd appreciate hearing from you. --ado

In message <199701202209.RAA03151@flower.nci.nih.gov> so spake (ado):
There's a problem if the number of characters in a to-be-generated full file name (exclusive of the trailing '\0') equals or exceeds the size of the filename buffer. The number of characters (exclusive of the trailing '\0 ') is strlen(p) + strlen(name) + 1 (where the "1" is for the slash that separates the directory from the name) and the size of the filename buffer is sizeof fullname It looks to me as if the above test is correct; does anyone see something I'v e missed?
But why don't you count the trailing '\0'? You need to guarantee that the string can be NULL-terminated, right? That's why I think it should be +2, not +1.
--- time/zic.c Wed Jan 15 16:41:36 1997 ... - while ((c = getopt(argc, argv, "d:l:p:L:vsy:")) != -1) + while ((c = getopt(argc, argv, "d:l:p:L:vsy:")) != EOF)
If anyone knows a good way of conditionalizing this (to cope with, for exampl e, SunOS 4.1.1), I'd appreciate hearing from you.
Solaris gets this wrong, too but POSIX does say that getopt(3) should return -1 on error or when no more args. However, most OS's define EOF to be -1 so the -1 should work for legacy systems as well. - todd
participants (2)
-
adoļ¼ elsie
-
Todd C. Miller