From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 944BE384404C; Wed, 23 Sep 2020 11:57:05 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 944BE384404C
From: "xiechengliang1 at huawei dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/26657] New: strncpy in login/login.c line 114 might leave
 the destination string unterminate
Date: Wed, 23 Sep 2020 11:57:05 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.31
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: xiechengliang1 at huawei dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-26657-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 11:57:05 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26657

            Bug ID: 26657
           Summary: strncpy in login/login.c line 114 might leave the
                    destination string unterminate
           Product: glibc
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: xiechengliang1 at huawei dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

The glibc-2.31/login/login.c 114 line contains the following code:
    strncpy (copy.ut_line, ttyp, UT_LINESIZE);

  The UT_LINESIZE size is 32 bytes=EF=BC=8Cand the size of the destination =
array
"copy.ut_line" is also 32 bytes. The code cannot ensure that the "ttyp" ends
with '\0'. so calling "strncpy" might leave the destination string
unterminated. When strlen is used to obtain the length of the "copy.ut_line"
array, a buffer overflow occurs.

  Consider setting the 32nd bit of the "copy.ut_line" array to '\0' to fix =
it.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=