Hi Paul, On 3/12/23 02:44, Paul Eggert wrote: > From 9ebf228fb33f66d248b230d23b633800267e5a16 Mon Sep 17 00:00:00 2001 > From: Paul Eggert <[email protected]> > Date: Sat, 11 Mar 2023 10:34:21 -0800 > Subject: [PATCH 8/8] Fix su silent truncation > > * src/su.c (check_perms): Do not silently truncate user name. > > Signed-off-by: Paul Eggert <[email protected]> > --- > src/su.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/src/su.c b/src/su.c > index 9c134a9b..112be456 100644 > --- a/src/su.c > +++ b/src/su.c > @@ -658,7 +658,14 @@ static /*@only@*/struct passwd * check_perms (void) > SYSLOG ((LOG_INFO, > "Change user from '%s' to '%s' as requested by PAM", > name, tmp_name)); > - strlcpy (name, tmp_name, sizeof(name)); > + if (sizeof name <= strnlen (tmp_name, sizeof name)) {
strnlen(3)'s output is limited by the second argument, which makes
the previous condition to always be false, AFAICS. I guess you
wanted to call strlen(3)? Which BTW we can, since we use "%s" with
tmp_name in the previous line, so we know it's a string (or we
would have already crashed --or worse--).
Cheers,
Alex
> + fprintf (stderr, _("Overlong user name '%s'\n"),
> + tmp_name);
> + SYSLOG ((LOG_NOTICE, "Overlong user name '%s'",
> + tmp_name));
> + su_failure (caller_tty, true);
> + }
> + strcpy (name, tmp_name);
> pw = xgetpwnam (name);
> if (NULL == pw) {
> (void) fprintf (stderr,
> @@ -1213,4 +1220,3 @@ int main (int argc, char **argv)
>
> return (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
> }
> -
> --
> 2.37.2
>
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
