auth-subject: fix potential memory corruption in nm_auth_subject_to_string()

We don't want to apped the value to @buf, we want to set it. Also, if @buf happens to be uninitialized, g_strlcat() might determine there is nothing to append and return the buffer unmodified. Then, the (non NULL terminated) buffer might be printed. Note that before recent refactoring, we effectively would only call nm_auth_subject_to_string() on auth-subjects that were of type UNIX-PROCESS. Hence, this bug came only to light very recently, although it was present for a long time. Fixes: eabe7d856c243673bbaba3295ce74d72e188596d
author: Thomas Haller <thaller@redhat.com> 2018-04-13 11:31:45 +0200
committer: Thomas Haller <thaller@redhat.com> 2018-04-13 11:34:08 +0200
commit: 6fbbb5be7424ed38b6d124a4a95d11a962aa789d (patch)
tree: bcfbcbf6612c25b5fc95912543b87bac000c7090
parent: 09e44b96ddbd7185bc061967f93b2cd59ee500ec (diff)
download: NetworkManager-6fbbb5be7424ed38b6d124a4a95d11a962aa789d.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nm-auth-subject.c b/src/nm-auth-subject.c
index a96a4d99a4..24a55f81d7 100644
--- a/src/nm-auth-subject.c
+++ b/src/nm-auth-subject.c
@@ -93,10 +93,10 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
 		            (unsigned long long) priv->unix_process.start_time);
 		break;
 	case NM_AUTH_SUBJECT_TYPE_INTERNAL:
-		g_strlcat (buf, "internal", buf_len);
+		g_strlcpy (buf, "internal", buf_len);
 		break;
 	default:
-		g_strlcat (buf, "invalid", buf_len);
+		g_strlcpy (buf, "invalid", buf_len);
 		break;
 	}
 	return buf;
author	Thomas Haller <thaller@redhat.com>	2018-04-13 11:31:45 +0200
committer	Thomas Haller <thaller@redhat.com>	2018-04-13 11:34:08 +0200
commit	6fbbb5be7424ed38b6d124a4a95d11a962aa789d (patch)
tree	bcfbcbf6612c25b5fc95912543b87bac000c7090
parent	09e44b96ddbd7185bc061967f93b2cd59ee500ec (diff)
download	NetworkManager-6fbbb5be7424ed38b6d124a4a95d11a962aa789d.tar.gz