lslogins: bound lastlog2 tty/host copy to destination size

get_lastlog2() copies the TTY and host strings read from the lastlog2
database into heap buffers of sizeof(ut_line)+1 and sizeof(ut_host)+1
bytes, but passed strlen(value)+1 as the mem2strcpy() limit. mem2strcpy()
zero-fills and copies that many bytes regardless of the destination, so a
database value longer than the field overflows the buffer. Cap the limit
to the destination field size, matching the wtmp and plain-lastlog paths
in the same function.

Signed-off-by: aizu-m <aizumusheer2@gmail.com>

diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
index 750b54e970d3b78e8859359dc4d3368cd72be0d5..fa69529f48ba54a33e20d4e5a14d693b6b351fc5 100644 (file)
--- a/login-utils/lslogins.c
+++ b/login-utils/lslogins.c
@@ -571,7 +571,8 @@ static int get_lastlog2(struct lslogins_control *ctl, const char *user, void *ds
                        return -1;
                }
                if (res_tty) {
-                       mem2strcpy(dst, res_tty, strlen(res_tty), strlen(res_tty) + 1);
+                       mem2strcpy(dst, res_tty, strlen(res_tty),
+                                       sizeof_member(struct utmpx, ut_line) + 1);
                        free (res_tty);
                }
                break;
@@ -584,7 +585,8 @@ static int get_lastlog2(struct lslogins_control *ctl, const char *user, void *ds
                        return -1;
                }
                if (res_host) {
-                       mem2strcpy(dst, res_host, strlen(res_host), strlen(res_host) + 1);
+                       mem2strcpy(dst, res_host, strlen(res_host),
+                                       sizeof_member(struct utmpx, ut_host) + 1);
                        free(res_host);
                }
                break;