Project

General

Profile

Actions

Bug #4688

closed

getlogin_r shouldn't clobber memory

Added by Robert Mustacchi over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
High
Category:
lib - userland libraries
Start date:
2014-03-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

getlogin_r takes a buffer size to describe how large the buffer should be. However, getlogin_r ignores that entirely and just assumes that it is at least LOGIN_NAME_MAX bytes. This means that it will actually corrupt memory and means that calling something like cuserid(3C) can and will corrupt memory. Consider the following sample C program:

#include <unistd.h>
#include <string.h>
#include <stdio.h>

int
main(void)
{
        int ret, i;
        char buf[128];

        memset(buf, 'a', sizeof (buf));

        ret = getlogin_r(buf, 9);
        if (ret != 0) {
                perror("getlogin_r");
                return (1);
        }

        for (i = 0; i < 40; i++)
                printf("%d: %c\\n", i, buf[i]);

        return (0);
}

When run without a fix it produces:

0: r
1: o
2: o
3: t
4: 
5: 
6: 
7: 
8: 
9: 
10: 
11: 
12: 
13: 
14: 
15: 
16: 
17: 
18: 
19: 
20: 
21: 
22: 
23: 
24: 
25: 
26: 
27: 
28: 
29: 
30: 
31: 
32: 
33: a
34: a
35: a
36: a
37: a
38: a
39: a

Note how many more bytes beyond our buffer length have been zeroed out.

The problem is straightforward. The function getl_r_common uses strncpy on the maximum size of a login name. Ironically, it actually checks that the length of the login name fits right before doing so. The solution is to have this function properly honor the length of the buffer passed in.

Actions

Also available in: Atom PDF