Hi,
strlcpy() accesses the source string until it finds NUL, even if
it is behind the size limit. As msg is not NUL-terminated in this
case, it depends on memory content wether syslogd will crash. So
using memcpy() and setting the NUL explicitly is the correct way.
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.177
diff -u -p -r1.177 syslogd.c
--- usr.sbin/syslogd/syslogd.c 20 Jul 2015 19:49:33 -0000 1.177
+++ usr.sbin/syslogd/syslogd.c 25 Aug 2015 16:33:42 -0000
@@ -1037,6 +1037,7 @@ tcp_readcb(struct bufferevent *bufev, vo
{
struct peer *p = arg;
char *msg, line[MAXLINE + 1];
+ size_t linelen;
int len;
while (EVBUFFER_LENGTH(bufev->input) > 0) {
@@ -1055,8 +1056,9 @@ tcp_readcb(struct bufferevent *bufev, vo
if (len > 0 && msg[len-1] == '\n')
msg[len-1] = '\0';
if (len == 0 || msg[len-1] != '\0') {
- strlcpy(line, msg,
- MINIMUM((size_t)len+1, sizeof(line)));
+ linelen = MINIMUM((size_t)len, sizeof(line)-1);
+ memcpy(line, msg, linelen);
+ line[linelen] = '\0';
msg = line;
}
printline(p->p_hostname, msg);
