From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Mon, 16 Aug 2010 14:09:22 +0000 (-0400)
Subject: Windows: prevent buffer overrun in cklog
X-Git-Tag: openafs-devel-1_5_76~3
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=ce2422000446eed0e4a6edf926df4fe93206508d;p=packages%2Fo%2Fopenafs.git

Windows: prevent buffer overrun in cklog

The Windows version of klog.exe will overwrite the realm and
password buffers if the command line input is too long.  Generate
an error and terminate the program instead.

Change-Id: I80671adcf92e9140f14a943b2677a352d2223eee
Reviewed-on: http://gerrit.openafs.org/2558
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
---

diff --git a/src/WINNT/afsd/cklog.c b/src/WINNT/afsd/cklog.c
index 2456fcb88..40700da66 100644
--- a/src/WINNT/afsd/cklog.c
+++ b/src/WINNT/afsd/cklog.c
@@ -192,7 +192,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * the given cell name differs from our own, we don't do a lookup.
 	 */
 	foundExplicitCell = 1;
+        if (strlen(as->parms[aCELL].items->data) >= sizeof(realm)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Cell name too long - maximum length is %d\n",
+                        sizeof(realm) - 1);
+            return -1;
+        }
 	strncpy (realm, as->parms[aCELL].items->data, sizeof(realm));
+        realm[sizeof(realm) - 1] = '\0';
     }
 
     if (as->parms[aSERVERS].items) {
@@ -217,7 +225,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 		return -1;
 	    }
 	    foundExplicitCell = 1;
+            if (strlen(cell) >= sizeof(realm)) {
+                if (!Silent)
+                    fprintf(stderr,
+                            "Cell too long - maximum length is %d\n",
+                            sizeof(realm) - 1);
+                return -1;
+            }
 	    strncpy (realm, cell, sizeof(realm));
+            realm[sizeof(realm) - 1] = '\0';
 	}
     } else {
 	/* No explicit name provided. */
@@ -237,7 +253,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * see it there with ps!
 	 */
 	foundPassword = 1;
+        if (strlen(as->parms[aPASSWORD].items->data) >= sizeof(passwd)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Password too long - maximum length is %d\n",
+                        sizeof(passwd) - 1);
+            return -1;
+        }
 	strncpy (passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
+        passwd[sizeof(passwd) - 1] = '\0';
 	memset (as->parms[aPASSWORD].items->data, 0,
 	       strlen(as->parms[aPASSWORD].items->data));
     }