From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Fri, 20 Dec 1996 10:09:04 -0500
From: tab@cisco.com tab@cisco.com
Subject: No subject
Topicbox-Message-UUID: 537dc214-eac8-11e9-9e20-41e7f4b1d025
Message-ID: <19961220150904.JApB1RpQEeo8dJxyPt1tgXYJ35jMdYQM4BtgEeD2NyQ@z>

I found a bug in lpdaemon.c ...
When if-defed for Plan9, the TMPDIR is defined as follows: 

	#define TMPDIR "/sys/lib/lp/tmp"

In the function 'tempfile()' an array is defined as:
	char tmpf[20];	
and later used in:
	sprintf(tmpf, "%s/lp%d.%d", TMPDIR, getpid(), tindx++);

The resulting string overruns the 'tmpf' buffer - it really 
needs to be at least 32 bytes.

later,
Tom Bohannon 
Cisco Systems, Inc.