From 58457b126815e811a10a84f1f983a459c740c967 Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Tue, 25 Aug 2015 17:14:17 +0000 Subject: strlcpy() accesses the source string until it finds NUL, even if it is behind the size limit. As msg is not NUL-terminated in this case, it depended on memory content wether syslogd will crash. So using memcpy() and setting the NUL explicitly is the correct way. OK deraadt@ --- usr.sbin/syslogd/syslogd.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index a2ddc2b820e..a65d6bf89e5 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.177 2015/07/20 19:49:33 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.178 2015/08/25 17:14:16 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -1037,6 +1037,7 @@ tcp_readcb(struct bufferevent *bufev, void *arg) { struct peer *p = arg; char *msg, line[MAXLINE + 1]; + size_t linelen; int len; while (EVBUFFER_LENGTH(bufev->input) > 0) { @@ -1055,8 +1056,9 @@ tcp_readcb(struct bufferevent *bufev, void *arg) if (len > 0 && msg[len-1] == '\n') msg[len-1] = '\0'; if (len == 0 || msg[len-1] != '\0') { - strlcpy(line, msg, - MINIMUM((size_t)len+1, sizeof(line))); + linelen = MINIMUM((size_t)len, sizeof(line)-1); + memcpy(line, msg, linelen); + line[linelen] = '\0'; msg = line; } printline(p->p_hostname, msg); -- cgit v1.2.3