audit: Fix overflow in file backend

If the filename passed to open_file was larger than MAXPATHLEN-5,
then we'd overflow the oldName buffer when creating the backup
filename. Fix the overflow by using a malloc'd buffer instead.

Caught by coverity (#985767)

Reviewed-on: http://gerrit.openafs.org/9448
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit b0b3def56c15161df28059e270f0360c31241217)

Change-Id: I3993de8e4372c30d35e6e675042511f85ba9d014
Reviewed-on: http://gerrit.openafs.org/11062
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/audit/audit-file.c b/src/audit/audit-file.c
index b786c8dec6cfe96adfc37910cc542cdd37e5aa78..f151c050967b6795c1385d05f7172dbe9b1ff923 100644 (file)
--- a/src/audit/audit-file.c
+++ b/src/audit/audit-file.c
@@ -14,6 +14,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdarg.h>
+#include <stdlib.h>
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -48,7 +49,7 @@ static int
 open_file(const char *fileName)
 {
     int tempfd, flags;
-    char oldName[MAXPATHLEN];
+    char *oldName;
 
 #ifndef AFS_NT40_ENV
     struct stat statbuf;
@@ -59,10 +60,14 @@ open_file(const char *fileName)
     } else
 #endif
     {
-        strcpy(oldName, fileName);
-        strcat(oldName, ".old");
+       afs_asprintf(&oldName, "%s.old", fileName);
+       if (oldName == NULL) {
+           printf("Warning: Unable to create backup filename. Auditing ignored\n");
+           return 1;
+       }
         renamefile(fileName, oldName);
         flags = O_WRONLY | O_TRUNC | O_CREAT;
+       free(oldName);
     }
     tempfd = open(fileName, flags, 0666);
     if (tempfd > -1) {