From: Simon Wilkinson <sxw@your-file-system.com>
Date: Sat, 2 Mar 2013 12:38:49 +0000 (+0000)
Subject: audit: Fix overflow in file backend
X-Git-Tag: openafs-stable-1_8_0pre1~1323
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=b0b3def56c15161df28059e270f0360c31241217

audit: Fix overflow in file backend

If the filename passed to open_file was larger than MAXPATHLEN-5,
then we'd overflow the oldName buffer when creating the backup
filename. Fix the overflow by using a malloc'd buffer instead.

Caught by coverity (#985767)

Change-Id: Ie364aae0749b3658ab11a354844878d10c6970ab
Reviewed-on: http://gerrit.openafs.org/9448
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
---

diff --git a/src/audit/audit-file.c b/src/audit/audit-file.c
index 0ccf447..e03193f 100644
--- a/src/audit/audit-file.c
+++ b/src/audit/audit-file.c
@@ -39,7 +39,7 @@ static int
 open_file(const char *fileName)
 {
     int tempfd, flags;
-    char oldName[MAXPATHLEN];
+    char *oldName;
 
 #ifndef AFS_NT40_ENV
     struct stat statbuf;
@@ -50,10 +50,14 @@ open_file(const char *fileName)
     } else
 #endif
     {
-        strcpy(oldName, fileName);
-        strcat(oldName, ".old");
+	asprintf(&oldName, "%s.old", fileName);
+	if (oldName == NULL) {
+	    printf("Warning: Unable to create backup filename. Auditing ignored\n");
+	    return 1;
+	}
         rk_rename(fileName, oldName);
         flags = O_WRONLY | O_TRUNC | O_CREAT;
+	free(oldName);
     }
     tempfd = open(fileName, flags, 0666);
     if (tempfd > -1) {