From 13515489cbfd138d221d54bdedc4bf44ff24778e Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue, 26 Feb 2013 22:27:25 +0000
Subject: [PATCH] auth: Fix buffer overflow in afsconf_Open

If we fallback to the .AFSCONF file in the user's homedirectory,
the results of getenv("HOME") are copied into a fixed length string,
without checking for overflows.

Instead of risking this, just use asprintf to dynamically construct
a string, and free it when we are done.

Caught by coverity (#985905)

Reviewed-on: http://gerrit.openafs.org/9292
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 41d9ea697bf5e81e5003ad7b208788223c25536b)

Change-Id: I5b8664328dd0d397cbe459ff1e7667e63afc31e2
Reviewed-on: http://gerrit.openafs.org/11019
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/auth/cellconfig.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/auth/cellconfig.c b/src/auth/cellconfig.c
index 59a5cd889..e4425d22e 100644
--- a/src/auth/cellconfig.c
+++ b/src/auth/cellconfig.c
@@ -473,10 +473,18 @@ afsconf_Open(const char *adir)
 		fgets(afs_confdir, 128, fp);
 		fclose(fp);
 	    } else {
-		char pathname[256];
+		char *pathname = NULL;
+
+		afs_asprintf(&pathname, "%s/%s", home_dir, ".AFSCONF");
+		if (pathname == NULL) {
+		    free(tdir);
+		    UNLOCK_GLOBAL_MUTEX;
+		    return (struct afsconf_dir *) 0;
+		}
 
-		sprintf(pathname, "%s/%s", home_dir, ".AFSCONF");
 		fp = fopen(pathname, "r");
+		free(pathname);
+
 		if (fp == 0) {
 		    /* Our last chance is the "/.AFSCONF" file */
 		    fp = fopen("/.AFSCONF", "r");
-- 
2.39.5