From ba71a23fd47ee603eba670259caf96b8618fc8cc Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Sat, 2 Mar 2013 12:00:47 +0000
Subject: [PATCH] afsmonitor: Fix theoretical overflow of handler string

Don't do an unbounded copy into the thresh structure's handler
string, in case the caller has passed us a string which is too
long.

Instead, switch to strlcpy for all string copies.

Caught by coverity (#985761)

Reviewed-on: http://gerrit.openafs.org/9443
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 95cd5b1d950ecb820179e4279b8570d8ad6780f5)

Change-Id: Id8d7f3b97ac3ccbf65862d61b2f9e9d39baeb162
Reviewed-on: http://gerrit.openafs.org/11057
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/afsmonitor/afsmonitor.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/afsmonitor/afsmonitor.c b/src/afsmonitor/afsmonitor.c
index 7c9d54b6e..8a20f5db7 100644
--- a/src/afsmonitor/afsmonitor.c
+++ b/src/afsmonitor/afsmonitor.c
@@ -24,6 +24,7 @@
 #include <string.h>
 #include <errno.h>
 #include <afs/cmd.h>
+#include <afs/afsutil.h>
 #include <signal.h>
 #undef IN
 #include <sys/types.h>
@@ -1001,10 +1002,12 @@ store_threshold(int a_type,		/* 1 = fs , 2 = cm */
 	    for (j = 0; j < tmp_host->numThresh; j++) {
 		if ((threshP->itemName[0] == '\0')
 		    || (strcasecmp(threshP->itemName, a_varName) == 0)) {
-		    strncpy(threshP->itemName, a_varName,
-			    THRESH_VAR_NAME_LEN);
-		    strncpy(threshP->threshVal, a_value, THRESH_VAR_LEN);
-		    strcpy(threshP->handler, a_handler);
+		    strlcpy(threshP->itemName, a_varName,
+			    sizeof(threshP->itemName));
+		    strlcpy(threshP->threshVal, a_value,
+			    sizeof(threshP->threshVal));
+		    strlcpy(threshP->handler, a_handler,
+			    sizeof(threshP->handler));
 		    threshP->index = index;
 		    done = 1;
 		    break;
@@ -1056,9 +1059,9 @@ store_threshold(int a_type,		/* 1 = fs , 2 = cm */
     for (i = 0; i < tmp_host->numThresh; i++) {
 	if ((threshP->itemName[0] == '\0')
 	    || (strcasecmp(threshP->itemName, a_varName) == 0)) {
-	    strncpy(threshP->itemName, a_varName, THRESH_VAR_NAME_LEN);
-	    strncpy(threshP->threshVal, a_value, THRESH_VAR_LEN);
-	    strcpy(threshP->handler, a_handler);
+	    strlcpy(threshP->itemName, a_varName, sizeof(threshP->itemName));
+	    strlcpy(threshP->threshVal, a_value, sizeof(threshP->threshVal));
+	    strlcpy(threshP->handler, a_handler, sizeof(threshP->handler));
 	    threshP->index = index;
 	    done = 1;
 	    break;
-- 
2.39.5