Fix is_my_tty() buffer overrun

* libmisc/utmp.c (is_my_tty): Declare the parameter as a char array, not char *, as it is not necessarily null-terminated. Avoid a read overrun when reading 'tty', which comes from 'ut_utname'. Reported-by: Paul Eggert <eggert@cs.ucla.edu> Co-developed-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-03-13 00:41:00 +01:00
parent 664d361fa5
commit e27ca53091
1 changed files with 8 additions and 9 deletions
--- a/libmisc/utmp.c
+++ b/libmisc/utmp.c
@@ -28,17 +28,16 @@
 /*
 * is_my_tty -- determine if "tty" is the same TTY stdin is using
 */
-static bool is_my_tty (const char *tty)
+static bool is_my_tty (const char tty[UT_LINESIZE])
 {
-	/* full_tty shall be at least sizeof utmp.ut_line + 5 */
-	char full_tty[200];
+	char         full_tty[STRLEN("/dev/") + UT_LINESIZE + 1];
 	/* tmptty shall be bigger than full_tty */
-	static char tmptty[sizeof (full_tty)+1];
+	static char  tmptty[sizeof (full_tty)+1];

-	if ('/' != *tty) {
-		(void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty);
-		tty = &full_tty[0];
-	}
+	full_tty[0] = '\0';
+	if (tty[0] != '/')
+		strcpy (full_tty, "/dev/");
+	strncat (full_tty, tty, UT_LINESIZE);

 	if ('\0' == tmptty[0]) {
 		const char *tname = ttyname (STDIN_FILENO);
@@ -49,7 +48,7 @@ static bool is_my_tty (const char *tty)
 	if ('\0' == tmptty[0]) {
 		(void) puts (_("Unable to determine your tty name."));
 		exit (EXIT_FAILURE);
-	} else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) {
+	} else if (strncmp (full_tty, tmptty, sizeof (tmptty)) != 0) {
 		return false;
 	} else {
 		return true;