>Number:         2948
>Category:       lib
>Synopsis:       possible buffer overflow in ttyaction
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 17 06:20:00 1996
>Last-Modified:
>Originator:     enami tsugutomo
>Organization:
	An individual
>Release:        NetBSD-current 96/11/15
>Environment:
System: NetBSD pavlov.enami.ba2.so-net.or.jp 1.2B NetBSD 1.2B (PAVLOV) #106: Sat Nov 16 18:31:39 JST 1996 enami@pavlov.enami.ba2.so-net.or.jp:/usr/src/sys/arch/i386/compile/PAVLOV i386


>Description:
	There is possible buffer overflow in ttyaction
>How-To-Repeat:
	Read the source lib/libutil/ttyaction.c.  For example, the variable
	env_tty is declared as char [64], but it is used in context like this:
		sprintf (env_tty, "TTY=%.63s", tty);
	It may prints max 68 byte to env_tty.
>Fix:
	Use correct size to print.
Index: ttyaction.c
===================================================================
RCS file: /a/cvsroot/NetBSD/lib/libutil/ttyaction.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ttyaction.c
--- ttyaction.c	1996/11/16 16:38:37	1.1.1.1
+++ ttyaction.c	1996/11/17 07:49:47
@@ -92,9 +92,10 @@
 	argv[3] = NULL;
 
 	/* Environment needs: TTY, ACT, USER */
-	sprintf(env_tty, "TTY=%.63s", tty);
-	sprintf(env_act, "ACT=%.63s", act);
-	sprintf(env_user, "USER=%.255s", user);
+	sprintf(env_tty, "TTY=%.*s", sizeof(env_tty) - sizeof("TTY="), tty);
+	sprintf(env_act, "ACT=%.*s", sizeof(env_act) - sizeof("ACT="), act);
+	sprintf(env_user, "USER=%.*s", sizeof(env_user) - sizeof("USER="),
+	    user);
 	envp[0] = pathenv;
 	envp[1] = env_tty;
 	envp[2] = env_act;
>Audit-Trail:
>Unformatted: