> i = vsprintf(buf + 3, fmt, args); /* hopefully i < sizeof(buf)-4 */
^^^^^^^^^^^^^^^^^^^^^^^^^^^
really funny comment ? :-(
I have patched it like:
> i = vsnprintf(buf + 3, sizeof(buf)-4, fmt, args);
I think hope is good, control is better. ;-)
Well, I don't know if there are any exploits out there, but
I prefer a complete "vsprintf" and "sprintf" replacement with "vsnprintf"
and "snprintf".
An exploit don't need an executable stack, a little overwrite
over important kernel structures like process table etc. will (might)
give you superuser rights.
Wolfram