> I've already built patches for 4.4lite BSD derived systems, which > I'll post in a little while after I've tested them better. > Unfortunately, they require the use of snprintf, which is not > standard on anything other than 4.4BSD. (and 4.4-derived systems, of course) > I can't think of any way to get around this -- you need to bounds > check the sprintfs in syslog.c and the only way I know to do that is > snprintf. Actually, it's not quite that bad. printf()'s guts are not hard to rewrite; if nothing else, you can steal it from one of the free-source stdios. (If you skip floating point - which I admit you really can't get away with for syslog() - it's not even hard to redo de novo.) > I'll point out that this opens up a whole new wonderful set of holes > that no one thought of before. Yeah...stdio just plain wasn't thought through enough, or something snprintfish would have been there in the first place. (I'd still rather have fopenstr(), and make the sprintf() family just wrappers around fopenstr/vfprintf/fclose sequences. Of course, I'd also like fopenfxn(), too, but I suppose that's a pipe dream....) der Mouse mouse@collatz.mcrcim.mcgill.edu