You can't specify a buffer size in asprintf() therefore, it is not
secure,
you can see that snprintf() does write to the `i` bytes to the buffer
Raiz
-------- Original Message --------
Subject: mount(8): strlen + malloc + snprintf == asprintf
Date: 2016-09-04 19:47
From: Michal Mazurek <akf...@jasminek.net>
To: tech@openbsd.org
do what tb@ did for hexdump
Index: sbin/mount/mount.c
===================================================================
RCS file: /cvs/src/sbin/mount/mount.c,v
retrieving revision 1.66
diff -u -p -r1.66 mount.c
--- sbin/mount/mount.c 26 Jun 2016 19:53:40 -0000 1.66
+++ sbin/mount/mount.c 4 Sep 2016 16:38:41 -0000
@@ -685,19 +685,16 @@ maketypelist(char *fslist)
char *
catopt(char *s0, const char *s1)
{
- size_t i;
char *cp;
if (s0 && *s0) {
- i = strlen(s0) + strlen(s1) + 1 + 1;
- if ((cp = malloc(i)) == NULL)
+ if (asprintf(&cp, "%s,%s", s0, s1) == -1)
err(1, NULL);
- (void)snprintf(cp, i, "%s,%s", s0, s1);
} else
cp = strdup(s1);
free(s0);
- return (cp);
+ return cp;
}
void
