pioctl-always-null-terminate-after-copy-20020612

based on report from lha@e.kth.se

note that this works because PIGGYSIZE is always less than AFS_LRALLOCSIZ

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 274492e..aeeb790 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -1087,6 +1087,7 @@ afs_HandlePioctl(avc, acom, ablob, afollow, acred)
     inData = osi_AllocLargeSpace(AFS_LRALLOCSIZ);
     if (inSize > 0) {
       AFS_COPYIN(ablob->in, inData, inSize, code);
+      inData[inSize]='\0';
     }
     else code = 0;
     if (code) {
@@ -1104,8 +1105,10 @@ afs_HandlePioctl(avc, acom, ablob, afollow, acred)
     if (code == 0 && ablob->out_size > 0) {
       if (outSize > ablob->out_size) outSize = ablob->out_size;
       if (outSize >= PIGGYSIZE) code = E2BIG;
-      else if  (outSize) 
+      else if  (outSize) {
        AFS_COPYOUT(outData, ablob->out, outSize, code);
+       outData[outSize]='\0';
+      }
     }
     osi_FreeLargeSpace(outData);
     afs_PutFakeStat(&fakestate);