From 810dcb5426e8e71c0d02b0a9a6b6f33cc7189caf Mon Sep 17 00:00:00 2001
From: christos <christos@NetBSD.org>
Date: Fri, 29 Sep 2023 12:08:03 +0000
Subject: [PATCH] Check for non-printable characters in ut_host. reported by
 https://twitter.com/adamsimuntis

---
 libexec/utmp_update/utmp_update.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libexec/utmp_update/utmp_update.c b/libexec/utmp_update/utmp_update.c
index af184d867917..d8d0aebb3da3 100644
--- a/libexec/utmp_update/utmp_update.c
+++ b/libexec/utmp_update/utmp_update.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: utmp_update.c,v 1.13 2015/04/26 08:56:19 mlelstv Exp $	 */
+/*	$NetBSD: utmp_update.c,v 1.14 2023/09/29 12:08:03 christos Exp $	 */
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 #include <sys/cdefs.h>
 
-__RCSID("$NetBSD: utmp_update.c,v 1.13 2015/04/26 08:56:19 mlelstv Exp $");
+__RCSID("$NetBSD: utmp_update.c,v 1.14 2023/09/29 12:08:03 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -41,6 +41,7 @@ __RCSID("$NetBSD: utmp_update.c,v 1.13 2015/04/26 08:56:19 mlelstv Exp $");
 #include <err.h>
 #include <fcntl.h>
 #include <pwd.h>
+#include <ctype.h>
 #include <utmpx.h>
 #include <stdlib.h>
 #include <string.h>
@@ -80,6 +81,7 @@ main(int argc, char *argv[])
 	int res;
 	uid_t euid, ruid;
 	char tty[MAXPATHLEN];
+	const char *p, *ep;
 
 	euid = geteuid();
 	ruid = getuid();
@@ -115,6 +117,12 @@ main(int argc, char *argv[])
 		logerr(0, "Invalid utmpx type %d", (int)utx->ut_type);
 	}
 
+	p = utx->ut_host;
+	ep = p + sizeof(utx->ut_host);
+	for (; p < ep && *p; p++)
+		if (!isprint((unsigned char)*p))
+			logerr(0, "Non-printable characters in hostname");
+
 	if (ruid != 0) {
 		if ((pwd = getpwuid(ruid)) == NULL)
 			logerr(0, "User %ld does not exist in password"