From e5d871ab40d111f943f8736ddf25064c04a371d5 Mon Sep 17 00:00:00 2001
From: Michael Meffie <mmeffie@sinenomine.net>
Date: Thu, 19 Aug 2021 12:52:30 -0400
Subject: [PATCH] vlserver: Use bounded string copy in FindByName()

Although the volname string passed to FindByName() is currently always
limited 65 characters (including the terminating nul), to be on the safe
side, use the bounded strlcpy() function when coping the volname to the
temporary tname local variable to avoid the possibility of overwriting
the stack with an unbounded strcpy().

Reviewed-on: https://gerrit.openafs.org/14763
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 494ec08cd04da6f96be02c7dc22d9bb0c409d63b)

Change-Id: I87b225de7d4ce81a4017f47f2d5088ebffd7c66a
Reviewed-on: https://gerrit.openafs.org/15538
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/vlserver/vlutils.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/vlserver/vlutils.c b/src/vlserver/vlutils.c
index 68abcc5aa2..c47bcb78db 100644
--- a/src/vlserver/vlutils.c
+++ b/src/vlserver/vlutils.c
@@ -696,15 +696,25 @@ FindByName(struct vl_ctx *ctx, char *volname, struct nvlentry *tentry,
     hashindex = strlen(volname);	/* really string length */
     if (hashindex >= 8 && strcmp(volname + hashindex - 7, ".backup") == 0) {
 	/* this is a backup volume */
-	strcpy(tname, volname);
+	if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+	    *error = VL_BADNAME;
+	    return 0;
+	}
 	tname[hashindex - 7] = 0;	/* zap extension */
     } else if (hashindex >= 10
 	       && strcmp(volname + hashindex - 9, ".readonly") == 0) {
 	/* this is a readonly volume */
-	strcpy(tname, volname);
+	if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+	    *error = VL_BADNAME;
+	    return 0;
+	}
 	tname[hashindex - 9] = 0;	/* zap extension */
-    } else
-	strcpy(tname, volname);
+    } else {
+	if (strlcpy(tname, volname, sizeof(tname)) >= sizeof(tname)) {
+	    *error = VL_BADNAME;
+	    return 0;
+	}
+    }
 
     *error = 0;
     hashindex = NameHash(tname);