From e27ca530912c9386f2a60656b4a2b713521f82b1 Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Mon, 13 Mar 2023 00:41:00 +0100 Subject: [PATCH] Fix is_my_tty() buffer overrun * libmisc/utmp.c (is_my_tty): Declare the parameter as a char array, not char *, as it is not necessarily null-terminated. Avoid a read overrun when reading 'tty', which comes from 'ut_utname'. Reported-by: Paul Eggert Co-developed-by: Paul Eggert Signed-off-by: Alejandro Colomar Reviewed-by: Iker Pedrosa --- libmisc/utmp.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libmisc/utmp.c b/libmisc/utmp.c index ff6acee0..b35382ef 100644 --- a/libmisc/utmp.c +++ b/libmisc/utmp.c @@ -28,17 +28,16 @@ /* * is_my_tty -- determine if "tty" is the same TTY stdin is using */ -static bool is_my_tty (const char *tty) +static bool is_my_tty (const char tty[UT_LINESIZE]) { - /* full_tty shall be at least sizeof utmp.ut_line + 5 */ - char full_tty[200]; + char full_tty[STRLEN("/dev/") + UT_LINESIZE + 1]; /* tmptty shall be bigger than full_tty */ - static char tmptty[sizeof (full_tty)+1]; + static char tmptty[sizeof (full_tty)+1]; - if ('/' != *tty) { - (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty); - tty = &full_tty[0]; - } + full_tty[0] = '\0'; + if (tty[0] != '/') + strcpy (full_tty, "/dev/"); + strncat (full_tty, tty, UT_LINESIZE); if ('\0' == tmptty[0]) { const char *tname = ttyname (STDIN_FILENO); @@ -49,7 +48,7 @@ static bool is_my_tty (const char *tty) if ('\0' == tmptty[0]) { (void) puts (_("Unable to determine your tty name.")); exit (EXIT_FAILURE); - } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) { + } else if (strncmp (full_tty, tmptty, sizeof (tmptty)) != 0) { return false; } else { return true;