Bug 11571

Summary: getlogin_r (NULL, 0) segfaults
Product: glibc Reporter: Richard Jones <rjones>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Severity: normal CC: glibc-bugs
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Richard Jones 2010-05-05 16:01:24 UTC
#include <unistd.h>

main ()
  getlogin_r (NULL, 0);
$ gcc -g test.c -o test
$ ./test 
Segmentation fault (core dumped)

This seems to be a regression in glibc 2.12, since glibc 2.11.90
did not segfault under these conditions.

The stack trace is:

Program received signal SIGSEGV, Segmentation fault.
__strncpy_sse2 (s1=0x0, s2=0x7fffffffdee1 "jones", n=18446744073709551615)
    at ./strncpy.c:43
43		  *++s1 = c;
(gdb) bt
#0  __strncpy_sse2 (s1=0x0, s2=0x7fffffffdee1 "jones", n=18446744073709551615)
    at ./strncpy.c:43
#1  0x00007ffff7b071d2 in __getlogin_r_loginuid (name=0x0, namesize=0)
    at ../sysdeps/unix/sysv/linux/getlogin_r.c:84
#2  0x00007ffff7b07299 in getlogin_r (name=0x0, namesize=0)
    at ../sysdeps/unix/sysv/linux/getlogin_r.c:103
#3  0x00000000004004d7 in main () at test.c:5
Comment 1 Richard Jones 2010-05-05 16:03:25 UTC
Note the problem is the zero length, not the
NULL pointer.  For example this also segfaults:

#include <unistd.h>

main ()
  char buffer[10000];
  getlogin_r (buffer, 0);
Comment 2 Richard Jones 2010-05-05 16:08:43 UTC
Problem is:

  getlogin_r.c:84   strncpy (name, pwd.pw_name, namesize - 1);


namesize == 0, so it calls strncpy with -1 as the 3rd parameter.
Comment 3 Ulrich Drepper 2010-05-05 16:45:22 UTC
Fixed in git.