user/1550: bad144 coredumps when given a long argument

["Bernhard Lutzmann" <belu@kriton.org>]

>Number:         1550
>Category:       user
>Synopsis:       bad144 coredumps when given a long argument
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec  9 03:20:02 MST 2000
>Last-Modified:
>Originator:     Bernhard Lutzmann
>Organization:
net
>Release:        2.8
>Environment:
	System      : OpenBSD 2.8
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:
	bad144 coredumps when given a long argument; the cause is a sprintf
	that does not check argument length
>How-To-Repeat:
	$ bad144 `perl -e 'print "A" x 5000'`
	Memory fault (core dumped)
>Fix:
--- bad144.c	Fri Dec  8 23:20:25 2000
+++ bad144.c	Fri Dec  8 23:27:41 2000
@@ -149,8 +149,8 @@
 		exit(1);
 	}
 	if (argv[0][0] != '/')
-		(void)sprintf(name, "%sr%s%c", _PATH_DEV, argv[0],
-		    'a' + RAW_PART);
+		(void)snprintf(name, sizeof(name), "%sr%s%c", _PATH_DEV,
+		    argv[0], 'a' + RAW_PART);
 	else
 		strlcpy(name, argv[0], MAXPATHLEN);
 	f = open(name, argc == 1? O_RDONLY : O_RDWR);

>Audit-Trail:
>Unformatted: