Windows: prevent buffer overrun in cklog
authorJeffrey Altman <jaltman@your-file-system.com>
Mon, 16 Aug 2010 14:09:22 +0000 (10:09 -0400)
committerJeffrey Altman <jaltman@openafs.org>
Mon, 16 Aug 2010 18:32:24 +0000 (11:32 -0700)
The Windows version of klog.exe will overwrite the realm and
password buffers if the command line input is too long.  Generate
an error and terminate the program instead.

Change-Id: I80671adcf92e9140f14a943b2677a352d2223eee
Reviewed-on: http://gerrit.openafs.org/2558
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>

src/WINNT/afsd/cklog.c

index 2456fcb..40700da 100644 (file)
@@ -192,7 +192,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
         * the given cell name differs from our own, we don't do a lookup.
         */
        foundExplicitCell = 1;
+        if (strlen(as->parms[aCELL].items->data) >= sizeof(realm)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Cell name too long - maximum length is %d\n",
+                        sizeof(realm) - 1);
+            return -1;
+        }
        strncpy (realm, as->parms[aCELL].items->data, sizeof(realm));
+        realm[sizeof(realm) - 1] = '\0';
     }
 
     if (as->parms[aSERVERS].items) {
@@ -217,7 +225,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
                return -1;
            }
            foundExplicitCell = 1;
+            if (strlen(cell) >= sizeof(realm)) {
+                if (!Silent)
+                    fprintf(stderr,
+                            "Cell too long - maximum length is %d\n",
+                            sizeof(realm) - 1);
+                return -1;
+            }
            strncpy (realm, cell, sizeof(realm));
+            realm[sizeof(realm) - 1] = '\0';
        }
     } else {
        /* No explicit name provided. */
@@ -237,7 +253,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
         * see it there with ps!
         */
        foundPassword = 1;
+        if (strlen(as->parms[aPASSWORD].items->data) >= sizeof(passwd)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Password too long - maximum length is %d\n",
+                        sizeof(passwd) - 1);
+            return -1;
+        }
        strncpy (passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
+        passwd[sizeof(passwd) - 1] = '\0';
        memset (as->parms[aPASSWORD].items->data, 0,
               strlen(as->parms[aPASSWORD].items->data));
     }