From 494ec08cd04da6f96be02c7dc22d9bb0c409d63b Mon Sep 17 00:00:00 2001 From: Michael Meffie Date: Thu, 19 Aug 2021 12:52:30 -0400 Subject: [PATCH] vlserver: Use bounded string copy in FindByName() Although the volname string passed to FindByName() is currently always limited 65 characters (including the terminating nul), to be on the safe side, use the bounded strlcpy() function when coping the volname to the temporary tname local variable to avoid the possibility of overwriting the stack with an unbounded strcpy(). Change-Id: I12a8ca2901147c7dd88e63339d0d11c3c89bf94a Reviewed-on: https://gerrit.openafs.org/14763 Tested-by: BuildBot Reviewed-by: Andrew Deason Reviewed-by: Cheyenne Wills Reviewed-by: Benjamin Kaduk --- src/vlserver/vlutils.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/vlserver/vlutils.c b/src/vlserver/vlutils.c index 5514d61..01479a2 100644 --- a/src/vlserver/vlutils.c +++ b/src/vlserver/vlutils.c @@ -696,15 +696,25 @@ FindByName(struct vl_ctx *ctx, char *volname, struct nvlentry *tentry, hashindex = strlen(volname); /* really string length */ if (hashindex >= 8 && strcmp(volname + hashindex - 7, ".backup") == 0) { /* this is a backup volume */ - strcpy(tname, volname); + if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) { + *error = VL_BADNAME; + return 0; + } tname[hashindex - 7] = 0; /* zap extension */ } else if (hashindex >= 10 && strcmp(volname + hashindex - 9, ".readonly") == 0) { /* this is a readonly volume */ - strcpy(tname, volname); + if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) { + *error = VL_BADNAME; + return 0; + } tname[hashindex - 9] = 0; /* zap extension */ - } else - strcpy(tname, volname); + } else { + if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) { + *error = VL_BADNAME; + return 0; + } + } *error = 0; hashindex = NameHash(tname); -- 1.9.4