In-Reply-To: <20030810011227.5888.qmail@www.securityfocus.com> > ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number >*/.............lol > *strp = malloc(buflen); > > if (*strp) > { > va_list ap; > va_start(ap, fmt); > vsnprintf(*strp, buflen, fmt, ap);..................................lol >getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow...... how do you figure? it uses the same buflen value to limit the amount written to the buffer in the vsnprintf call as it was allocated(cept didn't add space for the null byte)? am i missing something?
