From 6fbbb5be7424ed38b6d124a4a95d11a962aa789d Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Fri, 13 Apr 2018 11:31:45 +0200 Subject: [PATCH] auth-subject: fix potential memory corruption in nm_auth_subject_to_string() We don't want to apped the value to @buf, we want to set it. Also, if @buf happens to be uninitialized, g_strlcat() might determine there is nothing to append and return the buffer unmodified. Then, the (non NULL terminated) buffer might be printed. Note that before recent refactoring, we effectively would only call nm_auth_subject_to_string() on auth-subjects that were of type UNIX-PROCESS. Hence, this bug came only to light very recently, although it was present for a long time. Fixes: eabe7d856c243673bbaba3295ce74d72e188596d --- src/nm-auth-subject.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nm-auth-subject.c b/src/nm-auth-subject.c index a96a4d99a4..24a55f81d7 100644 --- a/src/nm-auth-subject.c +++ b/src/nm-auth-subject.c @@ -93,10 +93,10 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len) (unsigned long long) priv->unix_process.start_time); break; case NM_AUTH_SUBJECT_TYPE_INTERNAL: - g_strlcat (buf, "internal", buf_len); + g_strlcpy (buf, "internal", buf_len); break; default: - g_strlcat (buf, "invalid", buf_len); + g_strlcpy (buf, "invalid", buf_len); break; } return buf;