From 959516d61bc6ee7cdd12409dde0ec00044208f1b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 29 Mar 2012 17:13:07 -0700
Subject: More strlcat/strlcpy truncate checks.

---
 source3/auth/auth_script.c | 55 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 45 insertions(+), 10 deletions(-)

(limited to 'source3/auth/auth_script.c')

diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c
index 4432ff4aec..dc8794bf16 100644
--- a/source3/auth/auth_script.c
+++ b/source3/auth/auth_script.c
@@ -74,32 +74,62 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
-	strlcat( secret_str, user_info->client.account_name, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
+	if (strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, user_info->client.account_name, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
 
 	for (i = 0; i < 8; i++) {
 		slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]);
 	}
-	strlcat( secret_str, hex_str, secret_str_len);
-	strlcat( secret_str, "\n", secret_str_len);
+	if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
+	}
 
 	if (user_info->password.response.lanman.data) {
 		for (i = 0; i < 24; i++) {
 			slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]);
 		}
-		strlcat( secret_str, hex_str, secret_str_len);
+		if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+			/* Truncate. */
+			goto cat_out;
+		}
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
 	}
-	strlcat( secret_str, "\n", secret_str_len);
 
 	if (user_info->password.response.nt.data) {
 		for (i = 0; i < 24; i++) {
 			slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]);
 		}
-		strlcat( secret_str, hex_str, secret_str_len);
+		if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) {
+			/* Truncate. */
+			goto cat_out;
+		}
+	}
+	if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) {
+		/* Truncate. */
+		goto cat_out;
 	}
-	strlcat( secret_str, "\n", secret_str_len);
 
 	DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n",
 		script, secret_str ));
@@ -117,6 +147,11 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
 
 	/* Cause the auth system to keep going.... */
 	return NT_STATUS_NOT_IMPLEMENTED;
+
+  cat_out:
+
+	SAFE_FREE(secret_str);
+	return NT_STATUS_NO_MEMORY;
 }
 
 /* module initialisation */
-- 
cgit