From: Simon Wilkinson <sxw@your-file-system.com>
Date: Sat, 2 Mar 2013 12:00:47 +0000 (+0000)
Subject: afsmonitor: Fix theoretical overflow of handler string
X-Git-Tag: upstream/1.8.0_pre1^2~1335
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=95cd5b1d950ecb820179e4279b8570d8ad6780f5;p=packages%2Fo%2Fopenafs.git

afsmonitor: Fix theoretical overflow of handler string

Don't do an unbounded copy into the thresh structure's handler
string, in case the caller has passed us a string which is too
long.

Instead, switch to strlcpy for all string copies.

Caught by coverity (#985761)

Change-Id: I80e3d35d7a9a4b57e8efc0cb0c7b2dc12f021063
Reviewed-on: http://gerrit.openafs.org/9443
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---

diff --git a/src/afsmonitor/afsmonitor.c b/src/afsmonitor/afsmonitor.c
index 9ba8b3889..b617ecdc8 100644
--- a/src/afsmonitor/afsmonitor.c
+++ b/src/afsmonitor/afsmonitor.c
@@ -989,10 +989,12 @@ store_threshold(int a_type,		/* 1 = fs , 2 = cm */
 	    for (j = 0; j < tmp_host->numThresh; j++) {
 		if ((threshP->itemName[0] == '\0')
 		    || (strcasecmp(threshP->itemName, a_varName) == 0)) {
-		    strncpy(threshP->itemName, a_varName,
-			    THRESH_VAR_NAME_LEN);
-		    strncpy(threshP->threshVal, a_value, THRESH_VAR_LEN);
-		    strcpy(threshP->handler, a_handler);
+		    strlcpy(threshP->itemName, a_varName,
+			    sizeof(threshP->itemName));
+		    strlcpy(threshP->threshVal, a_value,
+			    sizeof(threshP->threshVal));
+		    strlcpy(threshP->handler, a_handler,
+			    sizeof(threshP->handler));
 		    threshP->index = index;
 		    done = 1;
 		    break;
@@ -1044,9 +1046,9 @@ store_threshold(int a_type,		/* 1 = fs , 2 = cm */
     for (i = 0; i < tmp_host->numThresh; i++) {
 	if ((threshP->itemName[0] == '\0')
 	    || (strcasecmp(threshP->itemName, a_varName) == 0)) {
-	    strncpy(threshP->itemName, a_varName, THRESH_VAR_NAME_LEN);
-	    strncpy(threshP->threshVal, a_value, THRESH_VAR_LEN);
-	    strcpy(threshP->handler, a_handler);
+	    strlcpy(threshP->itemName, a_varName, sizeof(threshP->itemName));
+	    strlcpy(threshP->threshVal, a_value, sizeof(threshP->threshVal));
+	    strlcpy(threshP->handler, a_handler, sizeof(threshP->handler));
 	    threshP->index = index;
 	    done = 1;
 	    break;