From d1b03ef8ddc9ec84e52e6155fd510e601f043b20 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 May 2020 12:18:02 -0700
Subject: [PATCH] s3: lib: Paranoia around use of snprintf copying into a
 fixed-size buffer from a getenv() pointer.

Post checks for overflow/error.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184

(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
---
 lib/util/util_paths.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index c05246a7407..c0ee5c32c30 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
 
 	rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
 	if (rc != 0 || pwdbuf == NULL ) {
+		int len_written;
 		const char *szPath = getenv("HOME");
 		if (szPath == NULL) {
 			return NULL;
 		}
-		snprintf(buf, sizeof(buf), "%s", szPath);
-
+		len_written = snprintf(buf, sizeof(buf), "%s", szPath);
+		if (len_written >= sizeof(buf) || len_written < 0) {
+			/* Output was truncated or an error. */
+			return NULL;
+		}
 		return talloc_strdup(mem_ctx, buf);
 	}
 
-- 
2.47.2