From 8961793dbbae2f8b213372906a281dc38c77186c Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Wed, 16 May 2012 20:27:22 +0100
Subject: [PATCH] auth: Simplify DNS lookups with asprintf

Instead of allocing a maximal string, and using snprintf to
construct each possible DNS search string, just use asprintf to
construct each string. This greatly simplifies the code, and makes
it much less likely that maths errors can creep in causing buffer
overflows in the future. The downside is that we have more round
trips to the allocator, but that shouldn't matter in this context.

Change-Id: Iae9ab7d45f454c90a937354c71c9ec7fa2c55b69
Reviewed-on: http://gerrit.openafs.org/7452
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
---
 src/auth/cellconfig.c | 30 ++++++++++++------------------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/src/auth/cellconfig.c b/src/auth/cellconfig.c
index a5b2d3d71c..8b6915f021 100644
--- a/src/auth/cellconfig.c
+++ b/src/auth/cellconfig.c
@@ -969,9 +969,8 @@ afsconf_LookupServer(const char *service, const char *protocol,
     int len;
     unsigned char answer[1024];
     unsigned char *p;
-    char *dotcellname;
+    char *dotcellname = NULL;
     char *realCellName;
-    int cellnamelength, fullnamelength;
     char host[256];
     int server_num = 0;
     int minttl = 0;
@@ -991,12 +990,6 @@ afsconf_LookupServer(const char *service, const char *protocol,
     if (strchr(cellName,'.'))
 	pass += 2;
 
-    cellnamelength=strlen(cellName); /* _ ._ . . \0 */
-    fullnamelength=cellnamelength+strlen(protocol)+strlen(IANAname)+6;
-    dotcellname=malloc(fullnamelength);
-    if (!dotcellname)
-	return AFSCONF_NOTFOUND;	/* service not found */
-
 #ifdef HAVE_RES_RETRANSRETRY
     if ((_res.options & RES_INIT) == 0 && res_init() == -1)
       return (0);
@@ -1013,31 +1006,33 @@ afsconf_LookupServer(const char *service, const char *protocol,
     switch (pass) {
     case 0:
 	dnstype = T_SRV;
-	code = snprintf(dotcellname, fullnamelength, "_%s._%s.%s.",
-		 IANAname, protocol, cellName);
+	asprintf(&dotcellname, "_%s._%s.%s.", IANAname, protocol, cellName);
 	break;
     case 1:
 	dnstype = T_AFSDB;
-	code = snprintf(dotcellname, fullnamelength, "%s.",
-		 cellName);
+	asprintf(&dotcellname, "%s.", cellName);
 	break;
     case 2:
 	dnstype = T_SRV;
-	code = snprintf(dotcellname, fullnamelength, "_%s._%s.%s",
-		 IANAname, protocol, cellName);
+	asprintf(&dotcellname, "_%s._%s.%s", IANAname, protocol, cellName);
 	break;
     case 3:
 	dnstype = T_AFSDB;
-	code = snprintf(dotcellname, fullnamelength, "%s",
-		 cellName);
+	asprintf(&dotcellname, "%s", cellName);
 	break;
     }
-    if ((code < 0) || (code >= fullnamelength))
+    if (dotcellname == NULL)
 	goto findservererror;
+
     LOCK_GLOBAL_MUTEX;
     len = res_search(dotcellname, C_IN, dnstype, answer, sizeof(answer));
     UNLOCK_GLOBAL_MUTEX;
 
+    if (dotcellname != NULL) {
+	free(dotcellname);
+	dotcellname = NULL;
+    }
+
     if (len < 0) {
 	if (try_init < 1) {
 	    try_init++;
@@ -1181,7 +1176,6 @@ afsconf_LookupServer(const char *service, const char *protocol,
 findservererror:
     if (code && realCellName)
 	free(realCellName);
-    free(dotcellname);
     return code;
 }