More strlcat/strlcpy truncate checks.

8 files changed, 94 insertions, 26 deletions

diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c
index 4432ff4aec..dc8794bf16 100644
--- a/source3/auth/auth_script.c
+++ b/source3/auth/auth_script.c
@@ -74,32 +74,62 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
-	strlcat( secret_str, user_info->client.account_name, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
+	if (strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, user_info->client.account_name, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
 
 	for (i = 0; i < 8; i++) {
 		slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]);
 	}
-	strlcat( secret_str, hex_str, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
+	if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
 
 	if (user_info->password.response.lanman.data) {
 		for (i = 0; i < 24; i++) {
 			slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]);
 		}
-		strlcat( secret_str, hex_str, secret_str_len);
+		if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+			/* Truncate. */
+			goto cat_out;
+		}
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
 	}
-	strlcat( secret_str, "\n", secret_str_len);
 
 	if (user_info->password.response.nt.data) {
 		for (i = 0; i < 24; i++) {
 			slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]);
 		}
-		strlcat( secret_str, hex_str, secret_str_len);
+		if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+			/* Truncate. */
+			goto cat_out;
+		}
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
 	}
-	strlcat( secret_str, "\n", secret_str_len);
 
 	DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n",
 		script, secret_str ));
@@ -117,6 +147,11 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
 
 	/* Cause the auth system to keep going.... */
 	return NT_STATUS_NOT_IMPLEMENTED;
+
+  cat_out:
+
+	SAFE_FREE(secret_str);
+	return NT_STATUS_NO_MEMORY;
 }
 
 /* module initialisation */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index b6c8e995ed..e6220fd320 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -52,10 +52,17 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int
 		return NULL;
 	}
 
-	strlcpy(ret,field, len);
+	if (strlcpy(ret,field, len) >= len) {
+		/* Truncate ! */
+		free(r);
+		return NULL;
+	}
 	p=strtok_r(r, sep, &saveptr);
 	if (p) {
-		strlcat(ret, p, len);
+		if (strlcat(ret, p, len) >= len) {
+			free(r);
+			return NULL;
+		}
 
 		while ((p=strtok_r(NULL, sep, &saveptr)) != NULL) {
 			int retval;
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index e965e4c8b1..61a31458cf 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -316,16 +316,22 @@ static bool unparse_afs_acl(struct afs_acl *acl, char *acl_str)
 	}
 
 	fstr_sprintf(line, "%d\n", positives);
-	strlcat(acl_str, line, MAXSIZE);
+	if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
+		return false;
+	}
 
 	fstr_sprintf(line, "%d\n", negatives);
-	strlcat(acl_str, line, MAXSIZE);
+	if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
+		return false;
+	}
 
 	ace = acl->acelist;
 
 	while (ace != NULL) {
 		fstr_sprintf(line, "%s\t%d\n", ace->name, ace->rights);
-		strlcat(acl_str, line, MAXSIZE);
+		if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
+			return false;
+		}
 		ace = ace->next;
 	}
 	return true;
diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c
index c735dccd31..80332523ed 100644
--- a/source3/modules/vfs_recycle.c
+++ b/source3/modules/vfs_recycle.c
@@ -280,13 +280,17 @@ static bool recycle_create_dir(vfs_handle_struct *handle, const char *dname)
 	*new_dir = '\0';
 	if (dname[0] == '/') {
 		/* Absolute path. */
-		strlcat(new_dir,"/",len+1);
+		if (strlcat(new_dir,"/",len+1) >= len+1) {
+			goto done;
+		}
 	}
 
 	/* Create directory tree if neccessary */
 	for(token = strtok_r(tok_str, "/", &saveptr); token;
 	    token = strtok_r(NULL, "/", &saveptr)) {
-		strlcat(new_dir, token, len+1);
+		if (strlcat(new_dir, token, len+1) >= len+1) {
+			goto done;
+		}
 		if (recycle_directory_exist(handle, new_dir))
 			DEBUG(10, ("recycle: dir %s already exists\n", new_dir));
 		else {
@@ -297,7 +301,9 @@ static bool recycle_create_dir(vfs_handle_struct *handle, const char *dname)
 				goto done;
 			}
 		}
-		strlcat(new_dir, "/", len+1);
+		if (strlcat(new_dir, "/", len+1) >= len+1) {
+			goto done;
+		}
 		mode = recycle_subdir_mode(handle);
 	}
 
diff --git a/source3/modules/vfs_scannedonly.c b/source3/modules/vfs_scannedonly.c
index 1b35388b85..fcd2ed0a1c 100644
--- a/source3/modules/vfs_scannedonly.c
+++ b/source3/modules/vfs_scannedonly.c
@@ -327,8 +327,9 @@ static void notify_scanner(vfs_handle_struct * handle, const char *scanfile)
 	if (gsendlen + tmplen >= SENDBUFFERSIZE) {
 		flush_sendbuffer(handle);
 	}
-	strlcat(so->gsendbuffer, tmp, SENDBUFFERSIZE + 1);
-	strlcat(so->gsendbuffer, "\n", SENDBUFFERSIZE + 1);
+	/* FIXME ! Truncate checks... JRA. */
+	(void)strlcat(so->gsendbuffer, tmp, SENDBUFFERSIZE + 1);
+	(void)strlcat(so->gsendbuffer, "\n", SENDBUFFERSIZE + 1);
 }
 
 static bool is_scannedonly_file(struct Tscannedonly *so, const char *shortname)
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index e2a2744dae..b0c74e2f37 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -7338,8 +7338,14 @@ static bool run_shortname_test(int dummy)
 		goto out;
 	}
 
-	strlcpy(fname, "\\shortname\\", sizeof(fname));
-	strlcat(fname, "test .txt", sizeof(fname));
+	if (strlcpy(fname, "\\shortname\\", sizeof(fname)) >= sizeof(fname)) {
+		correct = false;
+		goto out;
+	}
+	if (strlcat(fname, "test .txt", sizeof(fname)) >= sizeof(fname)) {
+		correct = false;
+		goto out;
+	}
 
 	s.val = false;
 
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 4aaf365a88..ad3f448c5e 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -3765,8 +3765,12 @@ static NTSTATUS copy_fn(const char *mnt, struct file_info *f,
 		}
 
 		/* search below that directory */
-		strlcpy(new_mask, dir, sizeof(new_mask));
-		strlcat(new_mask, "\\*", sizeof(new_mask));
+		if (strlcpy(new_mask, dir, sizeof(new_mask)) >= sizeof(new_mask)) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		if (strlcat(new_mask, "\\*", sizeof(new_mask)) >= sizeof(new_mask)) {
+			return NT_STATUS_NO_MEMORY;
+		}
 
 		old_dir = local_state->cwd;
 		local_state->cwd = dir;
@@ -4807,7 +4811,9 @@ static bool get_user_tokens_from_file(FILE *f,
 
 		token = &((*tokens)[*num_tokens-1]);
 
-		strlcpy(token->name, line, sizeof(token->name));
+		if (strlcpy(token->name, line, sizeof(token->name)) >= sizeof(token->name)) {
+			return false;
+		}
 		token->token.num_sids = 0;
 		token->token.sids = NULL;
 		continue;
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 34974b400f..0e17b015e9 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -176,7 +176,8 @@ void get_xsrf_token(const char *username, const char *pass,
 		char tmp[3];
 
 		snprintf(tmp, sizeof(tmp), "%02x", token[i]);
-		strlcat(token_str, tmp, sizeof(tmp));
+		/* FIXME ! Truncate check. JRA. */
+		(void)strlcat(token_str, tmp, sizeof(tmp));
 	}
 }