From 473322a453bbc409d54ab21e1d9637eaf15f085a Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Wed, 22 Jan 2014 06:00:00 +0100
Subject: [PATCH] cmd: Avoid unsafe use of strncat

The NName function was using strncat(a, b, sizeof(a)), which doesn't
work as you would expect if 'a' already contains data, giving a potential
buffer overflow.

This was fixed on master in commit 9a007a9df43645b63a8b642029b4931928f9268b
by using strlcat from libroken, but we do not use libroken on the 1.6
branch. Instead, modify the strncat invocation to use a safer maximum
length to copy.

This is a 1.6-specific change.

Change-Id: Ifa41e603a1c98682550afadd063def4b9706d9e2
Reviewed-on: http://gerrit.openafs.org/10731
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: D Brashear <shadow@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/cmd/cmd.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/cmd/cmd.c b/src/cmd/cmd.c
index 179dd322d..8ddd9e0ee 100644
--- a/src/cmd/cmd.c
+++ b/src/cmd/cmd.c
@@ -43,8 +43,7 @@ NName(char *a1, char *a2)
         return "";
     } else {
         strncpy(tbuffer, a1, sizeof(tbuffer));
-        strncat(tbuffer, a2, sizeof(tbuffer));
-        tbuffer[sizeof(tbuffer)-1]='\0';
+        strncat(tbuffer, a2, sizeof(tbuffer) - strlen(tbuffer) - 1);
         return tbuffer;
     }
 }
-- 
2.39.5