From: Simon Wilkinson <sxw@your-file-system.com>
Date: Fri, 8 Mar 2013 13:01:28 +0000 (+0000)
Subject: bos: Don't overflow cellname buffer
X-Git-Tag: upstream/1.6.8^2~38
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=538faed7f79f48864cb8bccf4c4f819f55d9c0ca;p=packages%2Fo%2Fopenafs.git

bos: Don't overflow cellname buffer

Don't overflow the fixed sized cellname buffer when copying the
information in from the command line - instead, just use a
dynamically allocated buffer.

Caught by coverity (#985775)

Reviewed-on: http://gerrit.openafs.org/9549
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit 45993e3ad55358c3e94105e2e3aa13df43f5fdd3)

Change-Id: Idb2b165c9b08f72cb57ca879ff6d61f9d556a631
Reviewed-on: http://gerrit.openafs.org/10860
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---

diff --git a/src/bozo/bos.c b/src/bozo/bos.c
index 45624b8be..5a4368c39 100644
--- a/src/bozo/bos.c
+++ b/src/bozo/bos.c
@@ -803,8 +803,6 @@ AddKey(struct cmd_syndesc *as, void *arock)
     afs_int32 code;
     struct ktc_encryptionKey tkey;
     afs_int32 temp;
-    char *tcell;
-    char cellBuffer[256];
     char buf[BUFSIZ], ver[BUFSIZ];
 
     tconn = GetConn(as, 1);
@@ -839,22 +837,29 @@ AddKey(struct cmd_syndesc *as, void *arock)
 */
 	strcpy((char *)&tkey, buf);
     } else {			/* kerberos key */
+	char *tcell;
 	if (as->parms[ADDPARMOFFSET].items) {
-	    strcpy(cellBuffer, as->parms[ADDPARMOFFSET].items->data);
+	    tcell = strdup(as->parms[ADDPARMOFFSET].items->data);
+	    if (tcell == NULL) {
+		fprintf(stderr, "bos: Unable to allocate memory for cellname\n");
+		exit(1);
+	    }
 
 	    /* string to key needs upper-case cell names */
 
 	    /* I don't believe this is true.  The string to key function
 	     * actually expands the cell name, then LOWER-CASES it.  Perhaps it
 	     * didn't use to??? */
-	    ucstring(cellBuffer, cellBuffer, strlen(cellBuffer));
-	    tcell = cellBuffer;
+	    ucstring(tcell, tcell, strlen(tcell));
 	} else
 	    tcell = NULL;	/* no cell specified, use current */
 /*
 	ka_StringToKey(as->parms[1].items->data, tcell, &tkey);
 */
 	ka_StringToKey(buf, tcell, &tkey);
+
+	if (tcell)
+	    free(tcell);
     }
     code = BOZO_AddKey(tconn, temp, ktc_to_bozoptr(&tkey));
     if (code) {