-----BEGIN PGP SIGNED MESSAGE-----

    Index: xutil.c
    ===================================================================
    RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v
    retrieving revision 1.1.1.3
    retrieving revision 1.1.1.3.2.1
    diff -u -r1.1.1.3 -r1.1.1.3.2.1
    --- xutil.c	1999/01/13 19:20:33	1.1.1.3
    +++ xutil.c	1999/08/25 18:59:39	1.1.1.3.2.1
    @@ -272,16 +272,18 @@

     /*
      * Take a log format string and expand occurrences of %m
    - * with the current error code taken from errno.
    + * with the current error code taken from errno.  Make sure
    + * 'e' never gets longer than maxlen characters.
      */
     static void
    -expand_error(char *f, char *e)
    +expand_error(char *f, char *e, int maxlen)
     {
       extern int sys_nerr;
    -  char *p;
    +  char *p, *q;
       int error = errno;
    +  int len = 0;

    -  for (p = f; (*e = *p); e++, p++) {
    +  for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
	 if (p[0] == '%' && p[1] == 'm') {
	   const char *errstr;
	   if (error < 0 || error >= sys_nerr)
    @@ -289,13 +291,15 @@
	   else
	    errstr = sys_errlist[error];
	   if (errstr)
    -	strcpy(e, errstr);
    +	strcpy(q, errstr);
	   else
    -	sprintf(e, "Error %d", error);
    -      e += strlen(e) - 1;
    +	sprintf(q, "Error %d", error);
    +      len += strlen(q) - 1;
    +      q += strlen(q) - 1;
	   p++;
	 }
       }
    +  e[maxlen-1] = '\0';		/* null terminate, to be sure */
     }


    @@ -401,9 +405,15 @@
       checkup_mem();
     #endif /* DEBUG_MEM */

    -  expand_error(fmt, efmt);
    +  expand_error(fmt, efmt, 1024);

    +  /*
    +   * XXX: ptr is 1024 bytes long.  It is possible to write into it
    +   * more than 1024 bytes, if efmt is already large, and vargs expand
    +   * as well.
    +   */
       vsprintf(ptr, efmt, vargs);
    +  msg[1023] = '\0';		/* null terminate, to be sure */

       ptr += strlen(ptr);
       if (ptr[-1] == '\n')
    Index: amq_subr.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v
    retrieving revision 1.3
    retrieving revision 1.4
    diff -u -r1.3 -r1.4
    --- amq_subr.c	1999/01/13 20:03:54	1.3
    +++ amq_subr.c	1999/09/07 23:07:03	1.4
    @@ -204,11 +204,24 @@
     int *
     amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
     {
    -  static int rc;
    -  char *s = *(amq_string *) argp;
    +  static int rc = EINVAL;
    +  char s[AMQ_STRLEN];
       char *cp;
    +  char dq[20];
    +  struct sockaddr_in *sin;
    +
    +  if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) {
    +    plog(XLOG_ERROR, "amu_svc_getcaller returned NULL");
    +    return &rc;
    +  }
    +
    +  strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1);
    +  s[AMQ_STRLEN-1] = '\0';	/* null terminate, to be sure */
    +  plog(XLOG_ERROR,
    +       "amq requested mount of %s from %s.%d",
    +       s, inet_dquad(dq, sin->sin_addr.s_addr),
    +       ntohs(sin->sin_port));

    -  plog(XLOG_INFO, "amq requested mount of %s", s);
       /*
	* Minimalist security check.
	*/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBN+VNOVUuHi5z0oilAQGELgP/aMopeczE5TqvOVnNQCpv2dWX8klnFEhn
K2TVhpLw0HoJHASWEtalMznxCLe/CzAdw/NmYiqrKeletHL1tfclbbS1+TLPW7tB
p2iN5iQQfaczD95fJip7St4hrPxgSE/kvIHa92YAoa6i1A1JOsM5o5tlUC4kJiiY
n/ORSJvPlb0=
=APcV
-----END PGP SIGNATURE-----