>Number:         26778
>Category:       bin
>Synopsis:       minor off-by-one, checking for truncation by snprintf in comsat
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 28 00:44:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     David A. Holland <dholland@eecs.harvard.edu>
>Release:        NetBSD -current of 20040827
>Organization:
	Harvard EECS
>Environment:
	
	
System: NetBSD alicante 1.6ZG NetBSD 1.6ZG (ALICANTE) #8: Wed Mar 17 18:47:39 EST 2004 dholland@alicante:/usr/src/sys/arch/i386/compile/ALICANTE i386
Architecture: i386
Machine: i386
>Description:

	It seems that some two years ago I fixed some bugs in comsat
	and then forgot about them, and finally I got a merge failure
	today. (As you might guess from the environment above, I
	hadn't updated in a while.)

	One of the fixes has since been obsoleted, but the other one
	stands: the return value of snprintf excludes the terminator,
	so if it's equal to the buffer size the last byte has been 
	lost.

	This has no practical significance. :-)

>How-To-Repeat:
	n/a
>Fix:

	Patch against the latest (1.31) libexec/comsat/comsat.c.

Index: comsat.c
===================================================================
RCS file: /cvsroot/src/libexec/comsat/comsat.c,v
retrieving revision 1.31
diff -u -r1.31 comsat.c
--- comsat.c	10 Jul 2004 07:11:38 -0000	1.31
+++ comsat.c	27 Aug 2004 21:01:56 -0000
@@ -223,7 +223,7 @@
 		char maildir[MAXPATHLEN];
 		int l = snprintf(maildir, sizeof(maildir), ":%s/%s",
 		    _PATH_MAILDIR, name);
-		if (l > sizeof(maildir) || strcmp(maildir, fn) != 0)
+		if (l >= sizeof(maildir) || strcmp(maildir, fn) != 0)
 			return;
 	}
 	for (ep = utmp; ep != NULL; ep = ep->next)

>Release-Note:
>Audit-Trail:
>Unformatted: