This is the mail archive of the cygwin-cvs@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[newlib-cygwin] mkgroup/mkpasswd: Fix potential buffer overwrite in corner case

From: Corinna Vinschen <corinna at sourceware dot org>
To: cygwin-cvs at sourceware dot org
Date: 23 Oct 2016 15:05:45 -0000
Subject: [newlib-cygwin] mkgroup/mkpasswd: Fix potential buffer overwrite in corner case

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=526107a7536c3ae8d7de2b38bc668b940f52ca35

commit 526107a7536c3ae8d7de2b38bc668b940f52ca35
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Sun Oct 23 17:02:24 2016 +0200

    mkgroup/mkpasswd: Fix potential buffer overwrite in corner case
    
    Fixes Coverity CIDs 60076, 60077 and 60081
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/utils/mkgroup.c  | 16 ++++++++++------
 winsup/utils/mkpasswd.c |  8 +++++---
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/winsup/utils/mkgroup.c b/winsup/utils/mkgroup.c
index a9949d5..fc36e27 100644
--- a/winsup/utils/mkgroup.c
+++ b/winsup/utils/mkgroup.c
@@ -296,10 +296,12 @@ enum_local_groups (domlist_t *mach, const char *sep,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, domain_name);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].lgrpi0_name);
+	      p = wcpcpy (domname, domain_name);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].lgrpi0_name, GNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = MAX_DOMAIN_NAME_LEN + 1;
 	      if (!LookupAccountNameW (machine, domname,
@@ -434,10 +436,12 @@ enum_groups (domlist_t *mach, const char *sep, DWORD id_offset,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, machine);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].grpi2_name);
+	      p = wcpcpy (domname, machine);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].grpi2_name, GNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = MAX_DOMAIN_NAME_LEN + 1;
 	      if (!LookupAccountNameW (machine, domname, psid, &sid_length,
diff --git a/winsup/utils/mkpasswd.c b/winsup/utils/mkpasswd.c
index 27c607f..9562eac 100644
--- a/winsup/utils/mkpasswd.c
+++ b/winsup/utils/mkpasswd.c
@@ -312,10 +312,12 @@ enum_users (domlist_t *mach, const char *sep, const char *passed_home_path,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + UNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, machine);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].usri3_name);
+	      p = wcpcpy (domname, machine);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].usri3_name, UNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = sizeof (domname);
 	      if (!LookupAccountNameW (machine, domname, psid,

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]