The tm_mon already adjusts by 1, so the allowed range should be 0 -
11. Since mktime(3) is permissive in what it accepts, I think this
check is correct.
The second part handles the (theoretically valid but essentially
useless) parsing of a configuration file with an ISO 8601 date with
leap second. I'm not sure whether mktime(3) discards or keeps valid
leap seconds, or if the "restrictedness" of the implementation should
permit them, so maybe this isn't necessary.
Apologies since gmail will probably mangle the diff.
--david
--- usr.bin/newsyslog/newsyslog.c Thu Nov 20 15:11:02 2014
+++ usr.bin/newsyslog/newsyslog.c Thu Nov 20 15:12:39 2014
@@ -1186,7 +1186,7 @@ parse8601(char *s)
}
/* sanity check */
- if (tm.tm_year < 70 || tm.tm_mon < 0 || tm.tm_mon > 12 ||
+ if (tm.tm_year < 70 || tm.tm_mon < 0 || tm.tm_mon > 11 ||
tm.tm_mday < 1 || tm.tm_mday > 31)
return (-1);
@@ -1213,7 +1213,7 @@ parse8601(char *s)
}
/* sanity check */
- if (tm.tm_sec < 0 || tm.tm_sec > 60 || tm.tm_min < 0 ||
+ if (tm.tm_sec < 0 || tm.tm_sec > 61 || tm.tm_min < 0 ||
tm.tm_min > 59 || tm.tm_hour < 0 || tm.tm_hour > 23)
return (-1);
}
