search for: search_utmp

...overrun regarding the 2 sprintf()s in this code. Both of the sprintf()s in this code are identical: >From util-linux-2.6: 269: (void)sprintf(path, "/dev/%s", tty); 300: (void)sprintf(path, "/dev/%s", tty); In order to pass in the evil buffer, one has to get by either search_utmp() or utmp_chk(). Both of these check utmp to see if it can find a tty & user pair that matches the ones you requested. [mod: David Holland acknowledges this. -- REW] Did I miss something? Dave G. <daveg@escape.com> http://www.escape.com/~daveg