From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Wed,  9 Oct 1996 17:40:40 +0100
From: forsyth@plan9.cs.york.ac.uk forsyth@plan9.cs.york.ac.uk
Subject: fix to /sys/src/libc/port/dial.c
Topicbox-Message-UUID: 4e055ec8-eac8-11e9-9e20-41e7f4b1d025
Message-ID: <19961009164040.SoswXKv8Jk6NSQ4r3oETVfoFPzIIitCULbmbIMnUWUk@z>

errstr changed between editions so that it now exchanges the
contents of the two buffers.  dial.c wasn't changed accordingly, but
there is at least one path through dial where errstr can be called
with an uninitialised byte array, which is copied into the process's
error string.  (specifically, if ndb/cs doesn't return anything.)
ordinarily, that does no great harm, but if there is a % in the rubbish,
it causes trouble: the string is fetched by a later errstr, then
passed to werrstr as a format, in which % can cause various kinds of havoc.
ndb/dns can blow up, for instance.

the simple fix is to ensure that errstr's argument buffer is initialised,
and use errstr not werrstr to set the string in some cases.
i changed a few sprint to snprint while i was at it, just in case,
and initialised a default error message in one case.

a boddle file is in ftp://ftp.cs.york.ac.uk/plan9/bod/dial.bod.
here are some diffs.

term% diff /n/cd/libc/port/dial.c /sys/src/libc/port/dial.c
51a52
> 	err[0] = 0;
54c55
< 		werrstr(err);
---
> 		errstr(err);
62a64
> 	alterr[0] = 0;
65c67
< 		werrstr(err);
---
> 		errstr(err);
67c69
< 		werrstr(alterr);
---
> 		errstr(alterr);
95c97
< 	sprint(buf, "%s!%s", ds->proto, ds->rem);
---
> 	snprint(buf, sizeof(buf), "%s!%s", ds->proto, ds->rem);
105a108
> 	snprint(err, sizeof(err), "%s: can't translate address", buf);
117a121
> 		err[0] = 0;
125c129
< 		werrstr(besterr);
---
> 		errstr(besterr);
127c131
< 		werrstr(err);
---
> 		errstr(err);