svn commit: r328492 - head/contrib/opie/libopie
Ed Schouten
ed at nuxi.nl
Sat Jan 27 22:42:39 UTC 2018
2018-01-27 23:31 GMT+01:00 Dimitry Andric <dim at freebsd.org>:
> On 27 Jan 2018, at 23:20, Ed Schouten <ed at nuxi.nl> wrote:
>>
>> 2018-01-27 23:16 GMT+01:00 Pedro F. Giffuni <pfg at freebsd.org>:
>>> char host[sizeof(utmp.ut_host) + 1];
>>> insecure = 1;
>>>
>>> - strncpy(host, utmp.ut_host, sizeof(utmp.ut_host));
>>> - host[sizeof(utmp.ut_host)] = 0;
>>> + strncpy(host, utmp.ut_host, sizeof(host));
>>
>> Wait... This may access utmp.ut_host one byte past the end and no
>> longer guarantees that host is null-terminated, right?
>
> No, strncpy "copies at most len characters from src into dst".
Substituting 'len', 'src' and 'dst' gives me:
strncpy "copies at most 'sizeof(utmp.ut_host) + 1' characters from
'utmp.ut_host' into 'host'".
As 'utmp.ut_host' is not guaranteed to be null-terminated by POSIX*,
it can actually end up in the situation where it copies
'sizeof(utmp.ut_host) + 1' characters, which may leave 'host'
unterminated.
--
Ed Schouten <ed at nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
More information about the svn-src-head
mailing list