diff options
| author | Ricardo Mestre <mestre@cvs.openbsd.org> | 2018-08-23 06:27:55 +0000 |
|---|---|---|
| committer | Ricardo Mestre <mestre@cvs.openbsd.org> | 2018-08-23 06:27:55 +0000 |
| commit | b70f9305fa45c016ed303ecb312fd64808f8a8f7 (patch) | |
| tree | 82f40cbb37640a15c3b3fa7f9dc1ff93f6b14485 /usr.sbin/ac | |
| parent | 5cf28d5e0e5471dd465cb8225080a81820086a28 (diff) | |
We can safely assume that our utmp(5) file format implementation can guarantee
space for the NUL character, nevertheless there will always be some piece of
software that can get it wrong and corrupt the database, so we must take this
into consideration.
That being said, there is one strlcpy(3) that needs to be reverted back into
strncpy(3) + '\0' since if we try to use a bogus wtmp(5) file with ac(8) that
is big enough then the NUL char is not verified and it will write memory
out-of-bounds which will make the program crash.
discussed with and OK cheloha@ deraadt@
Diffstat (limited to 'usr.sbin/ac')
| -rw-r--r-- | usr.sbin/ac/ac.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/ac/ac.c b/usr.sbin/ac/ac.c index f0005cea8a9..ed4f7ebefd8 100644 --- a/usr.sbin/ac/ac.c +++ b/usr.sbin/ac/ac.c @@ -187,7 +187,8 @@ update_user(struct user_list *head, char *name, time_t secs) if ((up = malloc(sizeof(struct user_list))) == NULL) err(1, "malloc"); up->next = head; - strlcpy(up->name, name, sizeof (up->name)); + strncpy(up->name, name, sizeof(up->name) - 1); + up->name[sizeof(up->name) - 1] = '\0'; up->secs = secs; Total += secs; return up; |