From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Fri, 29 Mar 2013 03:19:19 +0000 (-0400)
Subject: utmp-wtmp: don't try to read past end of string
X-Git-Tag: v201~166
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=268888765352e4dcf07e40917fef6ab41b7deba1;ds=sidebyside

utmp-wtmp: don't try to read past end of string

systemd-199/src/shared/utmp-wtmp.c:228: buffer_size_warning: Calling
strncpy with a maximum size argument of 32 bytes on destination array
"store.ut_line" of size 32 bytes might leave the destination string
unterminated.

The destination string is unterminated on purpose, but we must
remember that.
---

diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c
index 046fb584f..8717dbac2 100644
--- a/src/shared/utmp-wtmp.c
+++ b/src/shared/utmp-wtmp.c
@@ -403,10 +403,12 @@ int utmp_wall(const char *message, bool (*match_tty)(const char *tty)) {
                 if (u->ut_type != USER_PROCESS || u->ut_user[0] == 0)
                         continue;
 
+                /* this access is fine, because strlen("/dev/") << 32 (UT_LINESIZE) */
                 if (path_startswith(u->ut_line, "/dev/"))
                         path = u->ut_line;
                 else {
-                        if (asprintf(&buf, "/dev/%s", u->ut_line) < 0) {
+                        if (asprintf(&buf, "/dev/%.*s",
+                                     sizeof(u->ut_line), u->ut_line) < 0) {
                                 r = -ENOMEM;
                                 goto finish;
                         }