From f273badc6b317d8d0ba9ba52e873c98a7e72a4e7 Mon Sep 17 00:00:00 2001
From: Jonathan Geisler <jgeisler@cse.taylor.edu>
Date: Wed, 24 Mar 2010 16:02:15 -0700
Subject: [PATCH] calls to cuserid() can result in buffer overruns and/or
 overflows

(cherry picked from commit fd8ccb0427569ffdfbb70c8828029122f3459160)
---
 ChangeLog               | 7 +++++++
 sysdeps/posix/cuserid.c | 5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index eece5e957b3..3198695b54f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-03-24  Ulrich Drepper  <drepper@redhat.com>
+
+	[BZ #11397]
+	* sysdeps/posix/cuserid.c (cuserid): Make sure the returned string
+	is NUL terminated.
+	Patch by Jonathan Geisler <jgeisler@cse.taylor.edu>.
+
 2010-03-02  Richard Guenther  <rguenther@suse.de>
 
 	* sysdeps/x86_64/dl-machine.h (elf_machine_rela): R_X86_64_PC32
diff --git a/sysdeps/posix/cuserid.c b/sysdeps/posix/cuserid.c
index 11c827a6868..f30c20e3f88 100644
--- a/sysdeps/posix/cuserid.c
+++ b/sysdeps/posix/cuserid.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 1996, 1998, 1999, 2001 Free Software Foundation, Inc.
+/* Copyright (C) 1991, 1996, 1998, 1999, 2001, 2010 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -44,5 +44,6 @@ cuserid (s)
 
   if (s == NULL)
     s = name;
-  return strncpy (s, pwptr->pw_name, L_cuserid);
+  s[L_userid - 1] = '\0';
+  return strncpy (s, pwptr->pw_name, L_cuserid - 1);
 }
-- 
2.47.2