From c7f87da2ba6b1e0bfcd3a41737483100010778d4 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 25 Sep 2017 21:55:34 +0200
Subject: [PATCH] setproctitle: fix out of boundary access

A program using setproctitle can trigger an out of boundary access
if an attacker was able to clear the environment before execution.

The check in setproctitle prevents overflows, but does not take into
account that the whole length of the arguments could be 1, which is
possible by supplying such a program name to execlp(3) or using a
symbolic link, e.g. argv[0] = "l", argv[1] = NULL.

Only login uses setproctitle, which is not affected by this
problem due to initializing the environment right before the call.
---
 lib/setproctitle.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/setproctitle.c b/lib/setproctitle.c
index 93bc82e471..7168e4658a 100644
--- a/lib/setproctitle.c
+++ b/lib/setproctitle.c
@@ -17,7 +17,7 @@
 extern char **environ;
 
 static char **argv0;
-static int argv_lth;
+static size_t argv_lth;
 
 void initproctitle (int argc, char **argv)
 {
@@ -42,16 +42,17 @@ void initproctitle (int argc, char **argv)
 			return;
 	environ[i] = NULL;
 
-	argv0 = argv;
 	if (i > 0)
-		argv_lth = envp[i-1] + strlen(envp[i-1]) - argv0[0];
+		argv_lth = envp[i-1] + strlen(envp[i-1]) - argv[0];
 	else
-		argv_lth = argv0[argc-1] + strlen(argv0[argc-1]) - argv0[0];
+		argv_lth = argv[argc-1] + strlen(argv[argc-1]) - argv[0];
+	if (argv_lth > 1)
+		argv0 = argv;
 }
 
 void setproctitle (const char *prog, const char *txt)
 {
-        int i;
+        size_t i;
         char buf[SPT_BUFSIZE];
 
         if (!argv0)
-- 
2.47.3