+++ /dev/null
-diff -ur sysvinit-2.78.orig/src/bootlogd.c sysvinit-2.78/src/bootlogd.c
---- sysvinit-2.78.orig/src/bootlogd.c Mon Oct 4 13:19:19 1999
-+++ sysvinit-2.78/src/bootlogd.c Tue Aug 8 06:36:47 2000
-@@ -86,7 +86,7 @@
- * Scan /dev and find the device name.
- * Side-effect: directory is changed to /dev
- */
--int findtty(char *res, dev_t dev)
-+int findtty(char **res, dev_t dev)
- {
- DIR *dir;
- struct dirent *ent;
-@@ -109,8 +109,10 @@
- if (ent == NULL) {
- fprintf(stderr, "bootlogd: cannot find console device\n");
- r = -1;
-- } else
-- strcpy(res, ent->d_name);
-+ } else {
-+ *res = strdup(ent->d_name);
-+ if (!*res) r = -1;
-+ }
- closedir(dir);
-
- return r;
-@@ -121,7 +123,7 @@
- * Find out the _real_ console. Assume that stdin is connected to
- * the console device (/dev/console).
- */
--int consolename(char *res)
-+int consolename(char **res)
- {
- struct stat st;
- #if TIOCTTYGSTRUCT_HACK
-@@ -235,9 +237,10 @@
- FILE *fp;
- struct timeval tv;
- fd_set fds;
-- char buf[1024];
-+ char *console;
- char *p;
- char *logfile;
-+ char *backfile;
- char *pidfile;
- int rotate;
- int dontfork;
-@@ -285,10 +288,10 @@
- /*
- * Open console device directly.
- */
-- if (consolename(buf) < 0)
-+ if (consolename(&console) < 0)
- return 1;
-- if ((realfd = open(buf, O_WRONLY|O_NONBLOCK)) < 0) {
-- fprintf(stderr, "bootlogd: %s: %s\n", buf, strerror(errno));
-+ if ((realfd = open(console, O_WRONLY|O_NONBLOCK)) < 0) {
-+ fprintf(stderr, "bootlogd: %s: %s\n", console, strerror(errno));
- return 1;
- }
- n = fcntl(realfd, F_GETFL);
-@@ -298,7 +301,7 @@
- /*
- * Grab a pty, and redirect console messages to it.
- */
-- if (openpty(&ptm, &pts, buf, NULL, NULL) < 0) {
-+ if (openpty(&ptm, &pts, console, NULL, NULL) < 0) {
- fprintf(stderr, "bootlogd: cannot allocate pseudo tty\n");
- return 1;
- }
-@@ -312,7 +315,7 @@
- #endif
- if (ioctl(pts, TIOCCONS, NULL) < 0) {
- fprintf(stderr, "bootlogd: ioctl(%s, TIOCCONS): %s\n",
-- buf, strerror(errno));
-+ console, strerror(errno));
- return 1;
- }
-
-@@ -384,8 +387,10 @@
- * Perhaps we need to open the logfile.
- */
- if (fp == NULL && rotate && access(logfile, F_OK) == 0) {
-- sprintf(buf, "%s~", logfile);
-- rename(logfile, buf);
-+ backfile = malloc(strlen(logfile) + 2);
-+ if (!backfile) break;
-+ sprintf(backfile, "%s~", logfile);
-+ rename(logfile, backfile);
- }
- if (fp == NULL)
- fp = fopen(logfile, "a");
-diff -ur sysvinit-2.78.orig/src/dowall.c sysvinit-2.78/src/dowall.c
---- sysvinit-2.78.orig/src/dowall.c Tue Apr 20 01:10:10 1999
-+++ sysvinit-2.78/src/dowall.c Tue Aug 8 06:50:06 2000
-@@ -90,7 +90,7 @@
- if ((tty = ttyname(0)) != (char *)0) {
- if (strncmp(tty, "/dev/", 5) == 0)
- tty += 5;
-- sprintf(ttynm, "(%s) ", tty);
-+ snprintf(ttynm, sizeof(ttynm), "(%s) ", tty);
- } else
- ttynm[0] = 0;
- init++;
-@@ -105,7 +105,7 @@
- *p = 0;
-
- if (remote) {
-- sprintf(line,
-+ snprintf(line, sizeof(line),
- "\007\r\nRemote broadcast message %s...\r\n\r\n",
- date);
- } else {
-@@ -124,10 +124,14 @@
- while ((utmp = getutent()) != NULL) {
- if(utmp->ut_type != USER_PROCESS ||
- utmp->ut_user[0] == 0) continue;
-- if (strncmp(utmp->ut_line, "/dev/", 5) == 0)
-- strcpy(term, utmp->ut_line);
-- else
-- sprintf(term, "/dev/%s", utmp->ut_line);
-+/* AUDIT: is ut_line always NUL-terminated? This code will at least not
-+ * overflow the buffer if not. */
-+ if (strlen(utmp->ut_line) >= sizeof(term) - 5) continue;
-+ if (strncmp(utmp->ut_line, "/dev/", 5) == 0) {
-+ term[0] = '\0';
-+ strncat(term, utmp->ut_line, sizeof(term) - 1);
-+ } else
-+ snprintf(term, sizeof(term), "/dev/%s", utmp->ut_line);
-
- /*
- * Sometimes the open/write hangs in spite of the O_NDELAY
-diff -ur sysvinit-2.78.orig/src/init.c sysvinit-2.78/src/init.c
---- sysvinit-2.78.orig/src/init.c Fri Feb 11 14:17:02 2000
-+++ sysvinit-2.78/src/init.c Tue Aug 8 08:07:37 2000
-@@ -70,6 +70,11 @@
- # define SIGPWR SIGUSR2
- #endif
-
-+#ifdef __GNUC__
-+__attribute__ ((format (printf, 2, 3)))
-+#endif
-+void log(int loglevel, char *s, ...);
-+
- /* Set a signal handler. */
- #define SETSIG(sa, sig, fun, flags) \
- do { \
-@@ -416,10 +421,11 @@
- }
-
- /*
-- * Set the process title. We do not check for overflow of
-- * the stack space since we know there is plenty for
-- * our needs and we'll never use more than 10 bytes anyway.
-+ * Set the process title.
- */
-+#ifdef __GNUC__
-+__attribute__ ((format (printf, 1, 2)))
-+#endif
- int setproctitle(char *fmt, ...)
- {
- va_list ap;
-@@ -429,7 +435,7 @@
- buf[0] = 0;
-
- va_start(ap, fmt);
-- len = vsprintf(buf, fmt, ap);
-+ len = vsnprintf(buf, sizeof(buf), fmt, ap);
- va_end(ap);
-
- memset(argv0, 0, maxproclen + 1);
-@@ -728,6 +734,9 @@
- /*
- * Log something to a logfile and the console.
- */
-+#ifdef __GNUC__
-+__attribute__ ((format (printf, 2, 3)))
-+#endif
- void log(int loglevel, char *s, ...)
- {
- va_list va_alist;
-@@ -742,7 +751,7 @@
- * Re-etablish connection with syslogd every time.
- */
- openlog("init", 0, LOG_DAEMON);
-- syslog(LOG_INFO, buf);
-+ syslog(LOG_INFO, "%s", buf);
- /* closelog(); NOT needed with recent libc's. */
- }
-
-@@ -856,6 +865,7 @@
- } else {
- /* Split up command line arguments */
- strncpy(buf, proc, sizeof(buf) - 1);
-+ buf[sizeof(buf) - 1] = '\0';
- ptr = buf;
- for(f = 1; f < 15; f++) {
- /* Skip white space */
-@@ -1003,7 +1013,7 @@
- #endif
-
- if (pid == -1) {
-- log(L_VB, "cannot fork, retry..", NULL, NULL);
-+ log(L_VB, "cannot fork, retry..");
- do_sleep(5);
- continue;
- }
-diff -ur sysvinit-2.78.orig/src/killall5.c sysvinit-2.78/src/killall5.c
---- sysvinit-2.78.orig/src/killall5.c Wed Oct 7 00:34:46 1998
-+++ sysvinit-2.78/src/killall5.c Tue Aug 8 07:21:08 2000
-@@ -72,6 +72,9 @@
- int scripts_too = 0;
-
- char *progname; /* the name of the running program */
-+#ifdef __GNUC__
-+__attribute__ ((format (printf, 2, 3)))
-+#endif
- void nsyslog(int pri, char *fmt, ...);
-
- /* Malloc space, barf if out of memory. */
-@@ -166,7 +169,7 @@
- memset(p, 0, sizeof(PROC));
-
- /* Open the statistics file. */
-- sprintf(path, "/proc/%s/stat", d->d_name);
-+ snprintf(path, sizeof(path), "/proc/%s/stat", d->d_name);
-
- /* Read SID & statname from it. */
- if ((fp = fopen(path, "r")) != NULL) {
-@@ -211,7 +214,7 @@
- }
-
- /* Now read argv[0] */
-- sprintf(path, "/proc/%s/cmdline", d->d_name);
-+ snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name);
- if ((fp = fopen(path, "r")) != NULL) {
- f = 0;
- while(f < 127 && (c = fgetc(fp)) != EOF && c) buf[f++] = c;
-@@ -234,7 +237,7 @@
- }
-
- /* Try to stat the executable. */
-- sprintf(path, "/proc/%s/exe", d->d_name);
-+ snprintf(path, sizeof(path), "/proc/%s/exe", d->d_name);
- if (stat(path, &st) == 0) {
- p->dev = st.st_dev;
- p->ino = st.st_ino;
-@@ -349,6 +352,9 @@
- }
-
- /* write to syslog file if not open terminal */
-+#ifdef __GNUC__
-+__attribute__ ((format (printf, 2, 3)))
-+#endif
- void nsyslog(int pri, char *fmt, ...)
- {
- va_list args;
-diff -ur sysvinit-2.78.orig/src/last.c sysvinit-2.78/src/last.c
---- sysvinit-2.78.orig/src/last.c Wed Nov 24 15:24:53 1999
-+++ sysvinit-2.78/src/last.c Tue Aug 8 07:39:02 2000
-@@ -31,6 +31,7 @@
- #include <string.h>
- #include <signal.h>
- #include <getopt.h>
-+#include <assert.h>
- #include <netinet/in.h>
- #include <netdb.h>
- #include <arpa/inet.h>
-@@ -298,7 +299,7 @@
- /*
- * Lookup a host with DNS.
- */
--int dns_lookup(char *result, char *org, unsigned int ip)
-+int dns_lookup(char *result, int size, char *org, unsigned int ip)
- {
- struct hostent *h;
-
-@@ -315,8 +316,8 @@
- strcpy(result, inet_ntoa(*(struct in_addr *)&ip));
- return 0;
- }
-- strncpy(result, h->h_name, 256);
-- result[255] = 0;
-+ result[0] = '\0';
-+ strncat(result, h->h_name, size - 1);
-
- return 0;
- }
-@@ -396,11 +397,13 @@
- break;
- }
-
-+ assert(UT_HOSTSIZE <= sizeof(domain));
-+
- /*
- * Look up host with DNS if needed.
- */
- if (usedns)
-- dns_lookup(domain, p->ut_host, p->ut_addr);
-+ dns_lookup(domain, sizeof(domain), p->ut_host, p->ut_addr);
- if (useip) {
- in.s_addr = p->ut_addr;
- strcpy(domain, inet_ntoa(in));
-@@ -418,17 +421,20 @@
- strcmp(s + 1, domainname) == 0) *s = 0;
- #endif
- if (!altlist) {
-- sprintf(final, "%-8.8s %-12.12s %-16.16s %-16.16s %-7.7s %-12.12s\n",
-+ snprintf(final, sizeof(final),
-+ "%-8.8s %-12.12s %-16.16s "
-+ "%-16.16s %-7.7s %-12.12s\n",
- p->ut_name, utline,
- domain, logintime, logouttime, length);
- } else {
-- sprintf(final,
-+ snprintf(final, sizeof(final),
- "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s %s\n",
- p->ut_name, utline,
- logintime, logouttime, length, domain);
- }
- } else
-- sprintf(final, "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
-+ snprintf(final, sizeof(final),
-+ "%-8.8s %-12.12s %-16.16s %-7.7s %-12.12s\n",
- p->ut_name, utline,
- logintime, logouttime, length);
-
-@@ -436,7 +442,7 @@
- * Print out "final" string safely.
- */
- for (s = final; *s; s++) {
-- if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 128))
-+ if (*s == '\n' || (*s >= 32 && (unsigned char)*s <= 126))
- putchar(*s);
- else
- putchar('*');
-@@ -547,10 +553,11 @@
-
- #if CHOP_DOMAIN
- /* Find out domainname. */
-- (void) gethostname(hostname, 256);
-+ (void) gethostname(hostname, sizeof(hostname));
- if ((domainname = strchr(hostname, '.')) != NULL) domainname++;
- if (domainname == NULL || domainname[0] == 0) {
-- (void) getdomainname(hostname, 256);
-+ (void) getdomainname(hostname, sizeof(hostname));
-+ hostname[sizeof(hostname) - 1] = '\0';
- domainname = hostname;
- if (strcmp(domainname, "(none)") == 0 || domainname[0] == 0)
- domainname = NULL;
-diff -ur sysvinit-2.78.orig/src/shutdown.c sysvinit-2.78/src/shutdown.c
---- sysvinit-2.78.orig/src/shutdown.c Sat Nov 13 19:39:01 1999
-+++ sysvinit-2.78/src/shutdown.c Tue Aug 8 07:47:47 2000
-@@ -110,17 +110,19 @@
- void warn(mins)
- int mins;
- {
-- char buf[MESSAGELEN + 64];
-+ char buf[MESSAGELEN + sizeof(newstate)];
- int len;
-
-- strcpy(buf, message);
-+ buf[0] = '\0';
-+ strncat(buf, message, sizeof(buf) - 1);
- len = strlen(buf);
-
- if (mins == 0)
-- sprintf(buf + len, "\rThe system is going down %s NOW !!\r\n",
-+ snprintf(buf + len, sizeof(buf) - len,
-+ "\rThe system is going down %s NOW !!\r\n",
- newstate);
- else
-- sprintf(buf + len,
-+ snprintf(buf + len, sizeof(buf) - len,
- "\rThe system is going DOWN %s in %d minute%s !!\r\n",
- newstate, mins, mins == 1 ? "" : "s");
- wall(buf, 1, 0);
-@@ -377,7 +379,8 @@
-
- /* See if this is a user process on a VC. */
- if (ut->ut_type != USER_PROCESS) continue;
-- sprintf(buf, "/dev/%s", ut->ut_line);
-+ if (strlen(ut->ut_line) >= sizeof(buf) - 5) continue;
-+ snprintf(buf, sizeof(buf), "/dev/%s", ut->ut_line);
- if (stat(buf, &st) < 0) continue;
- if ((st.st_rdev & 0xFFC0) != 0x0400) continue;
-
-diff -ur sysvinit-2.78.orig/src/wall.c sysvinit-2.78/src/wall.c
---- sysvinit-2.78.orig/src/wall.c Tue Jul 28 15:22:56 1998
-+++ sysvinit-2.78/src/wall.c Tue Aug 8 07:41:34 2000
-@@ -53,7 +53,7 @@
- if ((argc - optind) > 0) {
- for(f = optind; f < argc; f++) {
- len += strlen(argv[f]) + 1;
-- if (len >= MAXLEN) break;
-+ if (len >= MAXLEN - 2) break;
- strcat(buf, argv[f]);
- strcat(buf, " ");
- }