From 3b868dda3484415475e3b11617ea827a74427f70 Mon Sep 17 00:00:00 2001 From: mestre Date: Thu, 23 Aug 2018 06:27:54 +0000 Subject: [PATCH] We can safely assume that our utmp(5) file format implementation can guarantee space for the NUL character, nevertheless there will always be some piece of software that can get it wrong and corrupt the database, so we must take this into consideration. That being said, there is one strlcpy(3) that needs to be reverted back into strncpy(3) + '\0' since if we try to use a bogus wtmp(5) file with ac(8) that is big enough then the NUL char is not verified and it will write memory out-of-bounds which will make the program crash. discussed with and OK cheloha@ deraadt@ --- usr.sbin/ac/ac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.sbin/ac/ac.c b/usr.sbin/ac/ac.c index f0005cea8a9..ed4f7ebefd8 100644 --- a/usr.sbin/ac/ac.c +++ b/usr.sbin/ac/ac.c @@ -187,7 +187,8 @@ update_user(struct user_list *head, char *name, time_t secs) if ((up = malloc(sizeof(struct user_list))) == NULL) err(1, "malloc"); up->next = head; - strlcpy(up->name, name, sizeof (up->name)); + strncpy(up->name, name, sizeof(up->name) - 1); + up->name[sizeof(up->name) - 1] = '\0'; up->secs = secs; Total += secs; return up; -- 2.20.1