From: Christian Göttsche <cgzones@googlemail.com>
Date: Thu, 26 Jan 2023 19:58:24 +0000 (+0100)
Subject: commonio: check for path truncations
X-Git-Tag: 4.15.0-rc1~219
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0d3ba69340f9257501681ec516d75f5c5562e6e;p=thirdparty%2Fshadow.git

commonio: check for path truncations

Bail out if the paths generated for the backup and replacement database
are truncated.
---

diff --git a/lib/commonio.c b/lib/commonio.c
index 24c472bc9..c6459a2ec 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -900,7 +900,7 @@ static int write_all (const struct commonio_db *db)
 int commonio_close (struct commonio_db *db)
 {
 	char buf[1024];
-	int errors = 0;
+	int errors = 0, r;
 	struct stat sb;
 
 	if (!db->isopen) {
@@ -932,7 +932,12 @@ int commonio_close (struct commonio_db *db)
 		/*
 		 * Create backup file.
 		 */
-		snprintf (buf, sizeof buf, "%s-", db->filename);
+		r = snprintf (buf, sizeof buf, "%s-", db->filename);
+		if (r < 0 || (size_t)r >= sizeof buf) {
+			(void) fclose (db->fp);
+			db->fp = NULL;
+			goto fail;
+		}
 
 #ifdef WITH_SELINUX
 		if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
@@ -947,15 +952,15 @@ int commonio_close (struct commonio_db *db)
 			errors++;
 		}
 
+		db->fp = NULL;
+
 #ifdef WITH_SELINUX
 		if (reset_selinux_file_context () != 0) {
 			errors++;
 		}
 #endif
-		if (errors != 0) {
-			db->fp = NULL;
+		if (errors != 0)
 			goto fail;
-		}
 	} else {
 		/*
 		 * Default permissions for new [g]shadow files.
@@ -965,7 +970,9 @@ int commonio_close (struct commonio_db *db)
 		sb.st_gid = db->st_gid;
 	}
 
-	snprintf (buf, sizeof buf, "%s+", db->filename);
+	r = snprintf (buf, sizeof buf, "%s+", db->filename);
+	if (r < 0 || (size_t)r >= sizeof buf)
+		goto fail;
 
 #ifdef WITH_SELINUX
 	if (set_selinux_file_context (db->filename, S_IFREG) != 0) {