fix buffer overflow

Makefile

@@ -268,6 +268,7 @@ login: docker
 
 test_on_docker: docker
 	docker exec -t libnss-stns make test
+	docker exec -t libnss-stns make flawfinder
 	docker exec -t libnss-stns make integration
 
 github_release: ## Create some distribution packages
@@ -283,6 +284,7 @@ parson:
 		mv /tmp/parson/parson.c ./
 cleanup:
 	rm -rf /var/cache/stns
+	rm -rf /var/tmp/.stns.lock
 flawfinder:
-	ls stns*c |grep -v test | xargs flawfinder
+	ls stns*c |grep -v test | xargs flawfinder --error-level 3 --minlevel 3
 .PHONY: test testdev build parson

stns.c

@@ -478,7 +478,7 @@ int stns_import_file(char *file, stns_response_t *res)
     } else {
       res->data = (char *)realloc(res->data, total_len + len + 1);
     }
-    strcpy(res->data + total_len, buf);
+    strncpy(res->data + total_len, buf, len + 1);
     total_len += len;
   }
   fclose(fp);
@@ -656,6 +656,7 @@ int stns_exec_cmd(char *cmd, char *arg, stns_response_t *r)
   syslog(LOG_ERR, "%s(stns)[L%d] after malloc", __func__, __LINE__);
 #endif
 
+  /* Flawfinder: ignore */
   if ((fp = popen(c, "r")) == NULL) {
     goto err;
   }
@@ -675,7 +676,7 @@ int stns_exec_cmd(char *cmd, char *arg, stns_response_t *r)
 #ifdef DEBUG
     syslog(LOG_ERR, "%s(stns)[L%d] after malloc", __func__, __LINE__);
 #endif
-    strcpy(r->data + total_len, buf);
+    strncpy(r->data + total_len, buf, len + 1);
     total_len += len;
   }
   pclose(fp);

stns_group.c

@@ -43,7 +43,7 @@ pthread_mutex_t grent_mutex = PTHREAD_MUTEX_INITIALIZER;
       pthread_mutex_unlock(&grent_mutex);                                                                              \
       return NSS_STATUS_TRYAGAIN;                                                                                      \
     }                                                                                                                  \
-    strcpy(next_member, user);                                                                                         \
+    strncpy(next_member, user, user_length);                                                                           \
     rbuf->gr_mem[i] = next_member;                                                                                     \
     next_member += user_length;                                                                                        \
     buflen -= user_length;                                                                                             \

stns_key_wrapper.c

@@ -13,12 +13,18 @@ int main(int argc, char *argv[])
   int ret;
   signal(SIGPIPE, SIG_IGN);
 
+  /* Flawfinder: ignore */
   while ((ret = getopt(argc, argv, "c:")) != -1) {
     if (ret == -1)
       break;
     switch (ret) {
     case 'c':
-      conf_path = optarg;
+      int len = strnlen(optarg, MAXBUF) + 1;
+      if (len >= MAXBUF) {
+        fprintf(stderr, "conf path too long\n");
+        return -1;
+      }
+      strncpy(conf_path, optarg, len);
       break;
     default:
       break;
@@ -38,8 +44,12 @@ int main(int argc, char *argv[])
   if (ret != 0)
     return -1;
 
+  if (strnlen(argv[optind], MAX_USERNAME_LENGTH) >= MAX_USERNAME_LENGTH) {
+    fprintf(stderr, "user name too long\n");
+    return -1;
+  }
   snprintf(url, sizeof(url), "users?name=%s", argv[optind]);
-  r.data = (char *)malloc(STNS_DEFAULT_BUFFER_SIZE);
+  r.data      = (char *)malloc(STNS_DEFAULT_BUFFER_SIZE);
   curl_result = stns_request(&c, url, &r);
   if (curl_result != CURLE_OK) {
     fprintf(stderr, "http request failed user: %s\n", argv[optind]);
@@ -102,7 +112,8 @@ int main(int argc, char *argv[])
     if (stns_exec_cmd(c.chain_ssh_wrapper, argv[optind], &cr) == 0) {
       key_size = cr.size;
       keys     = (char *)realloc(keys, key_size + strnlen(keys, STNS_MAX_BUFFER_SIZE) + 1);
-      strcpy(&(keys[size]), cr.data);
+      int len  = strnlen(cr.data, STNS_MAX_BUFFER_SIZE);
+      strncpy(&(keys[size]), cr.data, len + 1);
       size += key_size;
     }
     free(cr.data);