From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Subject: kernvar(): fix possible buffer overflow in string handling

strncat writes up to n+1 chars when n is passed as 3rd argument.  So when
doing
	strncpy(filename, fileprefix, sizeof(filename));
	strncat(filename, name, sizeof(filename) - strlen(fileprefix));

with strlen(fileprefix) + strlen(name) >= sizeof(filename) a buffer
overflow occurs.  Addionally there is no check if filename is big enough.

So convert to memcpy and handle filename not being big enough.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
---
 src/backfire/sendme.c       |   12 ++++++++++--
 src/cyclictest/cyclictest.c |   11 +++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

--- a/src/backfire/sendme.c
+++ b/src/backfire/sendme.c
@@ -28,6 +28,7 @@
 #include <sched.h>
 #include <string.h>
 #include <time.h>
+#include <errno.h>
 #include "rt-utils.h"
 #include "rt-get_cpu.h"
 
@@ -63,9 +64,16 @@
 	char *fileprefix = get_debugfileprefix();
 	int retval = 1;
 	int path;
+	size_t len_prefix = strlen(fileprefix), len_name = strlen(name);
+
+	if (len_prefix + len_name + 1 > sizeof(filename)) {
+		errno = ENOMEM;
+		return 1;
+	}
+
+	memcpy(filename, fileprefix, len_prefix);
+	memcpy(filename + len_prefix, name, len_name + 1);
 
-	strncpy(filename, fileprefix, sizeof(filename));
-	strncat(filename, name, sizeof(filename) - strlen(fileprefix));
 	path = open(filename, mode);
 	if (path >= 0) {
 		if (mode == O_RDONLY) {
--- a/src/cyclictest/cyclictest.c
+++ b/src/cyclictest/cyclictest.c
@@ -199,9 +199,16 @@
 	char filename[128];
 	int retval = 1;
 	int path;
+	size_t len_prefix = strlen(fileprefix), len_name = strlen(name);
+
+	if (len_prefix + len_name + 1 > sizeof(filename)) {
+		errno = ENOMEM;
+		return 1;
+	}
+
+	memcpy(filename, fileprefix, len_prefix);
+	memcpy(filename + len_prefix, name, len_name + 1);
 
-	strncpy(filename, fileprefix, sizeof(filename));
-	strncat(filename, name, sizeof(filename) - strlen(fileprefix));
 	path = open(filename, mode);
 	if (path >= 0) {
 		if (mode == O_RDONLY) {
