ericonr
/
util-linux
mirror of https://github.com/ericonr/util-linux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

login: prevent OOB read on illegal /etc/hushlogins 

If the file /etc/hushlogins exists and a line starts with '\0', the
login tools are prone to an off-by-one read.

I see no reliability issue with this, as it would clearly need a
hostile action from a system administrator. But for the sake of
correctness, I've sent this patch nonetheless.
This commit is contained in:
Tobias Stoeckmann 2017-03-12 17:49:45 +01:00 committed by Karel Zak
parent 55a5fbbc33
commit b0f97de5a4
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
login-utils/logindefs.c
View File

@ -344,7 +344,8 @@ int get_hushlogin_status(struct passwd *pwd, int force_check)
continue; /* ignore errors... */
while (ok == 0 && fgets(buf, sizeof(buf), f)) {
buf[strlen(buf) - 1] = '\0';
if (buf[0] != '\0')
buf[strlen(buf) - 1] = '\0';
ok = !strcmp(buf, *buf == '/' ? pwd->pw_shell :
pwd->pw_name);
}