auth-subject: fix potential memory corruption in nm_auth_subject_to_string()

We don't want to apped the value to @buf, we want to set it. Also, if @buf happens to be uninitialized, g_strlcat() might determine there is nothing to append and return the buffer unmodified. Then, the (non NULL terminated) buffer might be printed. Note that before recent refactoring, we effectively would only call nm_auth_subject_to_string() on auth-subjects that were of type UNIX-PROCESS. Hence, this bug came only to light very recently, although it was present for a long time. Fixes: eabe7d856c
2026-01-11 14:30:34 +01:00 · 2018-04-13 11:31:45 +02:00 · 2018-04-13 11:31:45 +02:00 · 6fbbb5be74
commit 6fbbb5be74
parent 09e44b96dd
1 changed files with 2 additions and 2 deletions
--- a/src/nm-auth-subject.c
+++ b/src/nm-auth-subject.c
@ -93,10 +93,10 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
 		            (unsigned long long) priv->unix_process.start_time);
 		break;
 	case NM_AUTH_SUBJECT_TYPE_INTERNAL:
-		g_strlcat (buf, "internal", buf_len);
+		g_strlcpy (buf, "internal", buf_len);
 		break;
 	default:
-		g_strlcat (buf, "invalid", buf_len);
+		g_strlcpy (buf, "invalid", buf_len);
 		break;
 	}
 	return buf;