Fix #153: sar program buffer overflow when options -s or -e specified

When a short time format is used with sar's options -s or -e (e.g.,
sar -s 04:00), 5 characters are copied by strncpy in parse_timestamp
to timestamp variable. Unfortunately these 5 characters do not contain
the termination, therefore the following strcat appends after the
next "random" null byte. Therefore writing beyond the end of timestamp.

This patch tries to prevent this by explicitly terminating.

Debian bug #863197.

Reported-by: Robert Luberda
Signed-off-by: Bernhard Ubelacker <bernhardu@mailbox.org>
Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>

diff --git a/sa_common.c b/sa_common.c
index 97807bf15424234f4cbb75a1f3677c4aa6a797aa..f1504a5f6e103ddde4e8d62fb572bab47c03f00d 100644 (file)
--- a/sa_common.c
+++ b/sa_common.c
@@ -318,6 +318,7 @@ int parse_timestamp(char *argv[], int *opt, struct tstamp *tse,
 
                        case 5:
                                strncpy(timestamp, argv[(*opt)++], 5);
+                               timestamp[5] = '\0';
                                strcat(timestamp,":00");
                                break;