>Number:         23806
>Category:       lib
>Synopsis:       Off-by-one error in libc/time/localtime.c:tzload()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 20 17:43:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6ZG
>Organization:
>Environment:
System: NetBSD cyclonus 1.6ZG NetBSD 1.6ZG (STARSCREAM) #0: Tue Dec 16 17:11:50 CET 2003 bin@cyclonus:/usr/build/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386

>Description:
In tzload() strcpy() and strcat() are used unsafely because either the
NUL-character or the slash '/' was forgotten for calculating the
necessary buffer length. So it *might* be possible to leave the
concerned local string buffer 'filename' unterminated.

[ I also think that the comments about str{cpy,cat} should be removed
 because they're absolutely useless and might be even wrong/misguiding. ]

>How-To-Repeat:

>Fix:

Index: localtime.c
===================================================================
RCS file: /cvsroot/src/lib/libc/time/localtime.c,v
retrieving revision 1.34
diff -u -u -r1.34 localtime.c
--- localtime.c	2003/10/29 20:43:27	1.34
+++ localtime.c	2003/12/20 17:30:57
@@ -340,7 +340,7 @@
 		if (!doaccess) {
 			if ((p = TZDIR) == NULL)
 				return -1;
-			if ((strlen(p) + strlen(name) + 1) >= sizeof fullname)
+			if ((strlen(p) + strlen(name) + 2) >= sizeof fullname)
 				return -1;
 			(void) strcpy(fullname, p);	/* XXX strcpy is safe */
 			(void) strcat(fullname, "/");	/* XXX strcat is safe */
>Release-Note:
>Audit-Trail:
>Unformatted: