From 9761e8aa20b5de36d53f9528ac5425d50f3f3492 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 6 Apr 2010 16:31:37 -0700
Subject: [PATCH] Reallocate memory in aklog for the AFS ID string

aklog was previously writing the magic AFS ID string into previously
alloated memory with sprintf, but the variable in question was only
as long as the username, so this code could overwrite memory and lead
to heap corruption.  Free previously allocated memory and use
afs_asprintf to format the AFS ID string instead.

Change-Id: I7649864817340764c39c176606a9a543c10983c9
Reviewed-on: http://gerrit.openafs.org/1706
Tested-by: Russ Allbery <rra@stanford.edu>
Reviewed-by: Simon Wilkinson <sxw@inf.ed.ac.uk>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit 8d41bc24c51018a25eac49b3403cbb276713e1ad)
---
 src/aklog/aklog.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index cd994c6e3..43cd8465d 100644
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -1100,7 +1100,12 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
 	     */
 
 	    if ((status == 0) && (viceId != ANONYMOUSID)) {
-		sprintf(username, "AFS ID %d", (int) viceId);
+		free(username);
+		if (afs_asprintf(&username, "AFS ID %d", (int) viceId) < 0) {
+		    status = ENOMEM;
+		    username = NULL;
+		    goto out;
+		}
 	    }
 	}
 
-- 
2.39.5