rmtsys: Don't overflow pathname buffer

When we're constructing a homedirectory path to look for the
.AFSSERVER file in, we copy the HOME environment variable into a
static buffer, with a risk of overflowing that buffer.

Instead of using a static buffer, just allocate one with asprintf.

Caught by coverity (#985910)

Reviewed-on: http://gerrit.openafs.org/9392
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit f322b0ff1ec44d713c23d567f4d304e3dc65e702)

Change-Id: I588fecf4caee64915fc2e7730f68f051d6faa92a
Reviewed-on: http://gerrit.openafs.org/11043
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/sys/rmtsysc.c b/src/sys/rmtsysc.c
index bac6f7ea59216d4f1cefb1e7fd4ceebce105b1a8..6901febb07565e2d60eefb7edc28fe744f71239d 100644 (file)
--- a/src/sys/rmtsysc.c
+++ b/src/sys/rmtsysc.c
@@ -38,6 +38,7 @@
 #include <grp.h>
 #endif
 #include <rx/xdr.h>
+#include <afs/afsutil.h>
 #include "rmtsys.h"
 #include "sys_prototypes.h"
 
@@ -84,10 +85,14 @@ GetAfsServerAddr(char *syscall)
            fgets(server_name, 128, fp);
            fclose(fp);
        } else {
-           char pathname[256];
+           char *pathname;
 
-           sprintf(pathname, "%s/%s", home_dir, ".AFSSERVER");
+           afs_asprintf(&pathname, "%s/%s", home_dir, ".AFSSERVER");
+           if (pathname == NULL)
+               return 0;
            fp = fopen(pathname, "r");
+           free(pathname);
+
            if (fp == 0) {
                /* Our last chance is the "/.AFSSERVER" file */
                fp = fopen("/.AFSSERVER", "r");