9fans archive / 1996 / 12 / 32 /    prev next

From: tab@cis... tab@cis...
Subject: No subject
Date: Fri, 20 Dec 1996 10:09:04 EST

I found a bug in lpdaemon.c ...
When if-defed for Plan9, the TMPDIR is defined as follows: 

	#define TMPDIR "/sys/lib/lp/tmp"

In the function 'tempfile()' an array is defined as:
	char tmpf[20];	
and later used in:
	sprintf(tmpf, "%s/lp%d.%d", TMPDIR, getpid(), tindx++);

The resulting string overruns the 'tmpf' buffer - it really 
needs to be at least 32 bytes.

later,
Tom Bohannon 
Cisco Systems, Inc.