audit: Fix overflow in file backend
authorSimon Wilkinson <sxw@your-file-system.com>
Sat, 2 Mar 2013 12:38:49 +0000 (12:38 +0000)
committerDerrick Brashear <shadow@your-file-system.com>
Mon, 11 Mar 2013 14:26:41 +0000 (07:26 -0700)
If the filename passed to open_file was larger than MAXPATHLEN-5,
then we'd overflow the oldName buffer when creating the backup
filename. Fix the overflow by using a malloc'd buffer instead.

Caught by coverity (#985767)

Change-Id: Ie364aae0749b3658ab11a354844878d10c6970ab
Reviewed-on: http://gerrit.openafs.org/9448
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>

src/audit/audit-file.c

index 0ccf447..e03193f 100644 (file)
@@ -39,7 +39,7 @@ static int
 open_file(const char *fileName)
 {
     int tempfd, flags;
-    char oldName[MAXPATHLEN];
+    char *oldName;
 
 #ifndef AFS_NT40_ENV
     struct stat statbuf;
@@ -50,10 +50,14 @@ open_file(const char *fileName)
     } else
 #endif
     {
-        strcpy(oldName, fileName);
-        strcat(oldName, ".old");
+       asprintf(&oldName, "%s.old", fileName);
+       if (oldName == NULL) {
+           printf("Warning: Unable to create backup filename. Auditing ignored\n");
+           return 1;
+       }
         rk_rename(fileName, oldName);
         flags = O_WRONLY | O_TRUNC | O_CREAT;
+       free(oldName);
     }
     tempfd = open(fileName, flags, 0666);
     if (tempfd > -1) {