From: Simon Wilkinson Date: Tue, 26 Feb 2013 22:40:04 +0000 (+0000) Subject: kauth: Fix overflow when writing ticket file X-Git-Tag: upstream/1.6.10_pre1^2~169 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=3afc0fdfcfef07d11046a34b8c74ad0f7b1bb9ad;p=packages%2Fo%2Fopenafs.git kauth: Fix overflow when writing ticket file krb_write_ticket_file uses a fixed length buffer to store the name of the ticket file, but copies into this from an environment variable. Remove the fixed length buffer, and use a mixture of the variable itself, and dynamically allocated strings. Caught by coverity (#985909) Reviewed-on: http://gerrit.openafs.org/9294 Tested-by: BuildBot Reviewed-by: Derrick Brashear Reviewed-by: Jeffrey Altman (cherry picked from commit a332ce9d0e87fab55f3d286690026fe075f624dd) Change-Id: Idcf442323b13cc4daa893917ede6492616ba1aeb Reviewed-on: http://gerrit.openafs.org/11021 Tested-by: BuildBot Reviewed-by: Chas Williams - CONTRACTOR Reviewed-by: Andrew Deason Reviewed-by: Stephan Wiesand --- diff --git a/src/kauth/krb_tf.c b/src/kauth/krb_tf.c index 9fdaaf8ae..f0a57874b 100644 --- a/src/kauth/krb_tf.c +++ b/src/kauth/krb_tf.c @@ -61,6 +61,7 @@ #include #include #include +#include #include "kauth.h" #include "kautils.h" #include "kauth_internal.h" @@ -68,7 +69,6 @@ afs_int32 krb_write_ticket_file(char *realm) { - char ticket_file[AFSDIR_PATH_MAX]; int fd; int count; afs_int32 code; @@ -91,10 +91,15 @@ krb_write_ticket_file(char *realm) * back upon /tmp/tkt(uid}. */ if ((tf_name = (char *)getenv("KRBTKFILE"))) - (void)sprintf(ticket_file, "%s", tf_name); - else - (void)sprintf(ticket_file, "%s/tkt%d", gettmpdir(), getuid()); - fd = open(ticket_file, O_WRONLY + O_CREAT + O_TRUNC, 0700); + fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700); + else { + afs_asprintf(&tf_name, "%s/tkt%d", gettmpdir(), getuid()); + if (tf_name == NULL) + return ENOMEM; + fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700); + free(tf_name); + } + if (fd <= 0) return errno;