From: Benjamin Kaduk <kaduk@mit.edu>
Date: Wed, 22 Jan 2014 05:00:00 +0000 (+0100)
Subject: cmd: Avoid unsafe use of strncat
X-Git-Tag: upstream/1.6.8^2~64
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=473322a453bbc409d54ab21e1d9637eaf15f085a;p=packages%2Fo%2Fopenafs.git

cmd: Avoid unsafe use of strncat

The NName function was using strncat(a, b, sizeof(a)), which doesn't
work as you would expect if 'a' already contains data, giving a potential
buffer overflow.

This was fixed on master in commit 9a007a9df43645b63a8b642029b4931928f9268b
by using strlcat from libroken, but we do not use libroken on the 1.6
branch. Instead, modify the strncat invocation to use a safer maximum
length to copy.

This is a 1.6-specific change.

Change-Id: Ifa41e603a1c98682550afadd063def4b9706d9e2
Reviewed-on: http://gerrit.openafs.org/10731
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: D Brashear <shadow@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---

diff --git a/src/cmd/cmd.c b/src/cmd/cmd.c
index 179dd322d..8ddd9e0ee 100644
--- a/src/cmd/cmd.c
+++ b/src/cmd/cmd.c
@@ -43,8 +43,7 @@ NName(char *a1, char *a2)
         return "";
     } else {
         strncpy(tbuffer, a1, sizeof(tbuffer));
-        strncat(tbuffer, a2, sizeof(tbuffer));
-        tbuffer[sizeof(tbuffer)-1]='\0';
+        strncat(tbuffer, a2, sizeof(tbuffer) - strlen(tbuffer) - 1);
         return tbuffer;
     }
 }