lprm has an arbitrary limit on the length of the username that can remove
static char luser; /* buffer for person */
register char *arg;
struct passwd *p;
uid = getuid();
euid = geteuid();
name = argv;
openlog("lpd", 0, LOG_LPR);
if ((p = getpwuid(getuid())) == NULL)
fatal("Who are you?");
if (strlen(p->pw_name) >= sizeof(luser))
fatal("Your name is too long");
The value of 16 is interesting - why not 9?
Isn't this also a buffer overflow by one character if the username is of length
This is fixed by the move to LPRng in rawhide.