From ce2422000446eed0e4a6edf926df4fe93206508d Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Mon, 16 Aug 2010 10:09:22 -0400
Subject: [PATCH] Windows: prevent buffer overrun in cklog

The Windows version of klog.exe will overwrite the realm and
password buffers if the command line input is too long.  Generate
an error and terminate the program instead.

Change-Id: I80671adcf92e9140f14a943b2677a352d2223eee
Reviewed-on: http://gerrit.openafs.org/2558
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
---
 src/WINNT/afsd/cklog.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/WINNT/afsd/cklog.c b/src/WINNT/afsd/cklog.c
index 2456fcb88..40700da66 100644
--- a/src/WINNT/afsd/cklog.c
+++ b/src/WINNT/afsd/cklog.c
@@ -192,7 +192,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * the given cell name differs from our own, we don't do a lookup.
 	 */
 	foundExplicitCell = 1;
+        if (strlen(as->parms[aCELL].items->data) >= sizeof(realm)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Cell name too long - maximum length is %d\n",
+                        sizeof(realm) - 1);
+            return -1;
+        }
 	strncpy (realm, as->parms[aCELL].items->data, sizeof(realm));
+        realm[sizeof(realm) - 1] = '\0';
     }
 
     if (as->parms[aSERVERS].items) {
@@ -217,7 +225,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 		return -1;
 	    }
 	    foundExplicitCell = 1;
+            if (strlen(cell) >= sizeof(realm)) {
+                if (!Silent)
+                    fprintf(stderr,
+                            "Cell too long - maximum length is %d\n",
+                            sizeof(realm) - 1);
+                return -1;
+            }
 	    strncpy (realm, cell, sizeof(realm));
+            realm[sizeof(realm) - 1] = '\0';
 	}
     } else {
 	/* No explicit name provided. */
@@ -237,7 +253,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * see it there with ps!
 	 */
 	foundPassword = 1;
+        if (strlen(as->parms[aPASSWORD].items->data) >= sizeof(passwd)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Password too long - maximum length is %d\n",
+                        sizeof(passwd) - 1);
+            return -1;
+        }
 	strncpy (passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
+        passwd[sizeof(passwd) - 1] = '\0';
 	memset (as->parms[aPASSWORD].items->data, 0,
 	       strlen(as->parms[aPASSWORD].items->data));
     }
-- 
2.39.5