Bug#194637: Buffer overflow (1 byte) in sysdeps/unix/sysv/linux/ttyname_r.c
Package: libc6
Version: 2.3.1
Severity: minor
Tags: patch
In all releases currently present on ftp.debian.org (i.e. 5, 16 and 17),
glibc-2.3.1/debian/patches/glibc22-ttyname-devfs.dpatch contains the
following snippet:
+ memcpy (buf, prefix, strlen (prefix));
+ buflen -= strlen (prefix) - 1;
...
- memcpy (buf, "/dev/pts/", sizeof ("/dev/pts/"));
- buflen -= sizeof ("/dev/pts/") - 1;
That is certainly wrong since the value returned by strlen is one less
than the one returned by sizeof. This doesn't matter in the first line
since the code which later appends the file name to the directory uses a
remembered value of the string length, but buflen being 1 more allows
ttyname_r to use 1 byte more than available as buffer space.
Proposed patch:
--- glibc22-ttyname-devfs.dpatch.orig Sun May 25 14:15:33 2003
+++ glibc22-ttyname-devfs.dpatch Sun May 25 14:16:18 2003
@@ -41,8 +41,8 @@
+ size_t devlen = strlen (prefix);
- dirstream = __opendir (buf);
-+ memcpy (buf, prefix, strlen (prefix));
-+ buflen -= strlen (prefix) - 1;
++ memcpy (buf, prefix, devlen);
++ buflen -= devlen;
+
+ dirstream = __opendir (prefix);
if (dirstream == NULL)
That should fix it.
Hunor Csordas
Reply to: