https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=526107a7536c3ae8d7de2b38bc668b940f52ca35
commit 526107a7536c3ae8d7de2b38bc668b940f52ca35
Author: Corinna Vinschen <cori...@vinschen.de>
Date: Sun Oct 23 17:02:24 2016 +0200
mkgroup/mkpasswd: Fix potential buffer overwrite in corner case
Fixes Coverity CIDs 60076, 60077 and 60081
Signed-off-by: Corinna Vinschen <cori...@vinschen.de>
Diff:
---
winsup/utils/mkgroup.c | 16 ++++++++++------
winsup/utils/mkpasswd.c | 8 +++++---
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/winsup/utils/mkgroup.c b/winsup/utils/mkgroup.c
index a9949d5..fc36e27 100644
--- a/winsup/utils/mkgroup.c
+++ b/winsup/utils/mkgroup.c
@@ -296,10 +296,12 @@ enum_local_groups (domlist_t *mach, const char *sep,
else if (acc_type == SidTypeDomain)
{
WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+ PWCHAR p;
- wcscpy (domname, domain_name);
- wcscat (domname, L"\\");
- wcscat (domname, buffer[i].lgrpi0_name);
+ p = wcpcpy (domname, domain_name);
+ p = wcpcpy (p, L"\\");
+ p = wcpncpy (p, buffer[i].lgrpi0_name, GNLEN);
+ *p = L'\0';
sid_length = SECURITY_MAX_SID_SIZE;
domname_len = MAX_DOMAIN_NAME_LEN + 1;
if (!LookupAccountNameW (machine, domname,
@@ -434,10 +436,12 @@ enum_groups (domlist_t *mach, const char *sep, DWORD
id_offset,
else if (acc_type == SidTypeDomain)
{
WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+ PWCHAR p;
- wcscpy (domname, machine);
- wcscat (domname, L"\\");
- wcscat (domname, buffer[i].grpi2_name);
+ p = wcpcpy (domname, machine);
+ p = wcpcpy (p, L"\\");
+ p = wcpncpy (p, buffer[i].grpi2_name, GNLEN);
+ *p = L'\0';
sid_length = SECURITY_MAX_SID_SIZE;
domname_len = MAX_DOMAIN_NAME_LEN + 1;
if (!LookupAccountNameW (machine, domname, psid, &sid_length,
diff --git a/winsup/utils/mkpasswd.c b/winsup/utils/mkpasswd.c
index 27c607f..9562eac 100644
--- a/winsup/utils/mkpasswd.c
+++ b/winsup/utils/mkpasswd.c
@@ -312,10 +312,12 @@ enum_users (domlist_t *mach, const char *sep, const char
*passed_home_path,
else if (acc_type == SidTypeDomain)
{
WCHAR domname[MAX_DOMAIN_NAME_LEN + UNLEN + 2];
+ PWCHAR p;
- wcscpy (domname, machine);
- wcscat (domname, L"\\");
- wcscat (domname, buffer[i].usri3_name);
+ p = wcpcpy (domname, machine);
+ p = wcpcpy (p, L"\\");
+ p = wcpncpy (p, buffer[i].usri3_name, UNLEN);
+ *p = L'\0';
sid_length = SECURITY_MAX_SID_SIZE;
domname_len = sizeof (domname);
if (!LookupAccountNameW (machine, domname, psid,
