Fix is_my_tty() buffer overrun

*  libmisc/utmp.c (is_my_tty): Declare the parameter as a char array,
   not char *, as it is not necessarily null-terminated.
   Avoid a read overrun when reading 'tty', which comes from
   'ut_utname'.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>

diff --git a/libmisc/utmp.c b/libmisc/utmp.c
index ff6acee0b2657714c0da462e2dbdadc2bac37f50..b35382ef42e767105d07ab721140a20319baaf2e 100644 (file)
--- a/libmisc/utmp.c
+++ b/libmisc/utmp.c
@@ -28,17 +28,16 @@
 /*
  * is_my_tty -- determine if "tty" is the same TTY stdin is using
  */
-static bool is_my_tty (const char *tty)
+static bool is_my_tty (const char tty[UT_LINESIZE])
 {
-       /* full_tty shall be at least sizeof utmp.ut_line + 5 */
-       char full_tty[200];
+       char         full_tty[STRLEN("/dev/") + UT_LINESIZE + 1];
        /* tmptty shall be bigger than full_tty */
-       static char tmptty[sizeof (full_tty)+1];
+       static char  tmptty[sizeof (full_tty)+1];
 
-       if ('/' != *tty) {
-               (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty);
-               tty = &full_tty[0];
-       }
+       full_tty[0] = '\0';
+       if (tty[0] != '/')
+               strcpy (full_tty, "/dev/");
+       strncat (full_tty, tty, UT_LINESIZE);
 
        if ('\0' == tmptty[0]) {
                const char *tname = ttyname (STDIN_FILENO);
@@ -49,7 +48,7 @@ static bool is_my_tty (const char *tty)
        if ('\0' == tmptty[0]) {
                (void) puts (_("Unable to determine your tty name."));
                exit (EXIT_FAILURE);
-       } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) {
+       } else if (strncmp (full_tty, tmptty, sizeof (tmptty)) != 0) {
                return false;
        } else {
                return true;