kauth: Fix overflow when writing ticket file
authorSimon Wilkinson <sxw@your-file-system.com>
Tue, 26 Feb 2013 22:40:04 +0000 (22:40 +0000)
committerJeffrey Altman <jaltman@your-file-system.com>
Wed, 27 Feb 2013 20:42:01 +0000 (12:42 -0800)
krb_write_ticket_file uses a fixed length buffer to store the name
of the ticket file, but copies into this from an environment variable.

Remove the fixed length buffer, and use a mixture of the variable
itself, and dynamically allocated strings.

Caught by coverity (#985909)

Change-Id: I997fd1812c45e730db39497a27a5e168f102fee5
Reviewed-on: http://gerrit.openafs.org/9294
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>

src/kauth/krb_tf.c

index ce1b2eb..1ccb767 100644 (file)
@@ -60,7 +60,6 @@
 afs_int32
 krb_write_ticket_file(char *realm)
 {
-    char ticket_file[AFSDIR_PATH_MAX];
     int fd;
     int count;
     afs_int32 code;
@@ -83,10 +82,15 @@ krb_write_ticket_file(char *realm)
      * back upon /tmp/tkt(uid}.
      */
     if ((tf_name = (char *)getenv("KRBTKFILE")))
-       (void)sprintf(ticket_file, "%s", tf_name);
-    else
-       (void)sprintf(ticket_file, "%s/tkt%d", gettmpdir(), getuid());
-    fd = open(ticket_file, O_WRONLY + O_CREAT + O_TRUNC, 0700);
+       fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+    else {
+       asprintf(&tf_name, "%s/tkt%d", gettmpdir(), getuid());
+       if (tf_name == NULL)
+           return ENOMEM;
+       fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+       free(tf_name);
+    }
+
     if (fd <= 0)
        return errno;