Subject: bin/21048: systrace: Off-by-one bug
To: None <>
From: Christian Biere <>
List: netbsd-bugs
Date: 04/07/2003 01:53:00
>Number:         21048
>Category:       bin
>Synopsis:       systrace: Off-by-one bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 06 16:54:00 PDT 2003
>Originator:     Christian Biere
>Release:        NetBSD 1.6Q
NetBSD cyclonus 1.6Q NetBSD 1.6Q (STARSCREAM) #0: Sun Apr  6 00:39:54
CEST 2003  bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386


systrace uses the definition of MAXLOGNAME to determine the
buffer size in /bin/systrace/intercept.h and /bin/systrace/systrace.c.
According to /usr/include/sys/param.h this definition seems to be
deprecated but the real problem is that LOGIN_NAME_MAX includes the
trailing NUL while MAXLOGNAME does not. Thus, strlcpy() prevents a
buffer overrun but it will truncate the username if it's long enough.


# useradd -m abcdefghijklmnop
# su -l abcdefghijklmnop
% systrace -A /bin/ls
% systrace -a /bin/ls /usr


Apr  7 01:13:51 cyclonus systrace: deny user: abcdefghijklmno, prog:
/bin/ls, pid: 21359(0)[0], policy: /bin/ls, filters: 19, syscall:
netbsd-fsread(5), filename: /usr/share/nls/nls.alias

Note the missing "p" at the end of username.

Bump the buffer size by (at least) one (use LOGIN_NAME_MAX?) and add
checks for the result value of strl.* and sn.* everywhere.


Content-Type: application/pgp-signature

Version: GnuPG v1.2.1 (NetBSD)


 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit