Fix is_my_tty() buffer overrun

*  libmisc/utmp.c (is_my_tty): Declare the parameter as a char array,
   not char *, as it is not necessarily null-terminated.
   Avoid a read overrun when reading 'tty', which comes from
   'ut_utname'.

Reported-by: Paul Eggert <eggert@cs.ucla.edu>
Co-developed-by: Paul Eggert <eggert@cs.ucla.edu>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>

1 files changed, 8 insertions, 9 deletions

diff --git a/libmisc/utmp.c b/libmisc/utmp.c
index ff6acee0..b35382ef 100644
--- a/libmisc/utmp.c
+++ b/libmisc/utmp.c
@@ -28,17 +28,16 @@
 /*
  * is_my_tty -- determine if "tty" is the same TTY stdin is using
  */
-static bool is_my_tty (const char *tty)
+static bool is_my_tty (const char tty[UT_LINESIZE])
 {
-	/* full_tty shall be at least sizeof utmp.ut_line + 5 */
-	char full_tty[200];
+	char         full_tty[STRLEN("/dev/") + UT_LINESIZE + 1];
 	/* tmptty shall be bigger than full_tty */
-	static char tmptty[sizeof (full_tty)+1];
+	static char  tmptty[sizeof (full_tty)+1];
 
-	if ('/' != *tty) {
-		(void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty);
-		tty = &full_tty[0];
-	}
+	full_tty[0] = '\0';
+	if (tty[0] != '/')
+		strcpy (full_tty, "/dev/");
+	strncat (full_tty, tty, UT_LINESIZE);
 
 	if ('\0' == tmptty[0]) {
 		const char *tname = ttyname (STDIN_FILENO);
@@ -49,7 +48,7 @@ static bool is_my_tty (const char *tty)
 	if ('\0' == tmptty[0]) {
 		(void) puts (_("Unable to determine your tty name."));
 		exit (EXIT_FAILURE);
-	} else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) {
+	} else if (strncmp (full_tty, tmptty, sizeof (tmptty)) != 0) {
 		return false;
 	} else {
 		return true;