vlserver: Use bounded string copy in FindByName()

Although the volname string passed to FindByName() is currently always
limited 65 characters (including the terminating nul), to be on the safe
side, use the bounded strlcpy() function when coping the volname to the
temporary tname local variable to avoid the possibility of overwriting
the stack with an unbounded strcpy().

Change-Id: I12a8ca2901147c7dd88e63339d0d11c3c89bf94a
Reviewed-on: https://gerrit.openafs.org/14763
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/src/vlserver/vlutils.c b/src/vlserver/vlutils.c
index 5514d61..01479a2 100644 (file)
--- a/src/vlserver/vlutils.c
+++ b/src/vlserver/vlutils.c
@@ -696,15 +696,25 @@ FindByName(struct vl_ctx *ctx, char *volname, struct nvlentry *tentry,
     hashindex = strlen(volname);       /* really string length */
     if (hashindex >= 8 && strcmp(volname + hashindex - 7, ".backup") == 0) {
        /* this is a backup volume */
-       strcpy(tname, volname);
+       if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+           *error = VL_BADNAME;
+           return 0;
+       }
        tname[hashindex - 7] = 0;       /* zap extension */
     } else if (hashindex >= 10
               && strcmp(volname + hashindex - 9, ".readonly") == 0) {
        /* this is a readonly volume */
-       strcpy(tname, volname);
+       if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+           *error = VL_BADNAME;
+           return 0;
+       }
        tname[hashindex - 9] = 0;       /* zap extension */
-    } else
-       strcpy(tname, volname);
+    } else {
+       if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+           *error = VL_BADNAME;
+           return 0;
+       }
+    }
 
     *error = 0;
     hashindex = NameHash(tname);