From 7b1d48d4e1cbd83a2d228e500f376c516b1c93b0 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 6 Mar 2012 11:05:53 -0500
Subject: path_utils: handle off-by-one error in path_concat()

https://fedorahosted.org/sssd/ticket/1230
---
 path_utils/path_utils.c    |  2 +-
 path_utils/path_utils_ut.c | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/path_utils/path_utils.c b/path_utils/path_utils.c
index 97c845c..360d499 100644
--- a/path_utils/path_utils.c
+++ b/path_utils/path_utils.c
@@ -210,7 +210,7 @@ int path_concat(char *path, size_t path_size, const char *head, const char *tail
         for (p = tail; *p && *p == '/'; p++);   /* skip any leading slashes in tail */
         if (dst > path)
             if (dst < dst_end) *dst++ = '/';    /* insert single slash between head & tail */
-        for (src = p; *src && dst <= dst_end;) *dst++ = *src++; /* copy tail */
+        for (src = p; *src && dst < dst_end;) *dst++ = *src++; /* copy tail */
         if (*src) return ENOBUFS; /* failed to copy everything */
     }
     *dst = 0;
diff --git a/path_utils/path_utils_ut.c b/path_utils/path_utils_ut.c
index 044e9ea..fbefcab 100644
--- a/path_utils/path_utils_ut.c
+++ b/path_utils/path_utils_ut.c
@@ -241,16 +241,26 @@ END_TEST
 START_TEST(test_path_concat_neg)
 {
     char small[3];
-    char small2[4];
-    char p2[8];
+    char small2[5];
+    char small3[7];
+    char p2[9];
 
     /* these two test different conditions */
+
+    /* Test if head is longer than the buffer */
     fail_unless(path_concat(small, 3, "/foo", "bar") == ENOBUFS);
-    fail_unless(path_concat(small2, 4, "/foo", "bar") == ENOBUFS);
+
+    /* Test if head is the same length as the buffer */
+    fail_unless(path_concat(small2, 5, "/foo", "bar") == ENOBUFS);
+
+    /* Test if head+tail is the longer than the buffer */
+    fail_unless(path_concat(small3, 7, "/foo", "bar") == ENOBUFS);
 
     /* off-by-one */
+    p2[8] = 1; /* Check whether we've written too far */
     fail_unless(path_concat(p2, 8, "/foo", "bar") == ENOBUFS);
-    fail_unless_str_equal(p2, "/foo/bar");
+    fail_unless(p2[8] == 1); /* This should be untouched */
+    fail_unless_str_equal(p2, "/foo/ba");
 }
 END_TEST
 
-- 
cgit