Windows: prevent buffer overrun in cklog

The Windows version of klog.exe will overwrite the realm and password buffers if the command line input is too long. Generate an error and terminate the program instead. Change-Id: I80671adcf92e9140f14a943b2677a352d2223eee Reviewed-on: http://gerrit.openafs.org/2558 Reviewed-by: Derrick Brashear <shadow@dementia.org> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Jeffrey Altman <jaltman@openafs.org> Tested-by: Jeffrey Altman <jaltman@openafs.org>
2025-02-01 05:57:43 +00:00 · 2010-08-16 10:09:22 -04:00 · 2010-08-16 10:09:22 -04:00 · ce24220004
commit ce24220004
parent 22f6306cc8
1 changed files with 24 additions and 0 deletions
--- a/src/WINNT/afsd/cklog.c
+++ b/src/WINNT/afsd/cklog.c
@ -192,7 +192,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * the given cell name differs from our own, we don't do a lookup.
 	 */
 	foundExplicitCell = 1;
+        if (strlen(as->parms[aCELL].items->data) >= sizeof(realm)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Cell name too long - maximum length is %d\n",
+                        sizeof(realm) - 1);
+            return -1;
+        }
 	strncpy (realm, as->parms[aCELL].items->data, sizeof(realm));
+        realm[sizeof(realm) - 1] = '\0';
    }

    if (as->parms[aSERVERS].items) {
@ -217,7 +225,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 		return -1;
 	    }
 	    foundExplicitCell = 1;
+            if (strlen(cell) >= sizeof(realm)) {
+                if (!Silent)
+                    fprintf(stderr,
+                            "Cell too long - maximum length is %d\n",
+                            sizeof(realm) - 1);
+                return -1;
+            }
 	    strncpy (realm, cell, sizeof(realm));
+            realm[sizeof(realm) - 1] = '\0';
 	}
    } else {
 	/* No explicit name provided. */
@ -237,7 +253,15 @@ CommandProc (struct cmd_syndesc *as, void *arock)
 	 * see it there with ps!
 	 */
 	foundPassword = 1;
+        if (strlen(as->parms[aPASSWORD].items->data) >= sizeof(passwd)) {
+            if (!Silent)
+                fprintf(stderr,
+                        "Password too long - maximum length is %d\n",
+                        sizeof(passwd) - 1);
+            return -1;
+        }
 	strncpy (passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
+        passwd[sizeof(passwd) - 1] = '\0';
 	memset (as->parms[aPASSWORD].items->data, 0,
 	       strlen(as->parms[aPASSWORD].items->data));
    }