Merge pull request #5989 from larsewi/xpath

ENT-13550: Fixed buffer overflow in build XPath for edit_xml

Author: larsewi

cf-agent/files_editxml.c

@@ -29,6 +29,8 @@
 #include <promises.h>
 #include <files_names.h>
 #include <files_edit.h>
+#include <stddef.h>
+#include <stdio.h>
 #include <vars.h>
 #include <item_lib.h>
 #include <sort.h>
@@ -42,6 +44,7 @@
 #include <ornaments.h>
 #include <verify_classes.h>
 #include <regex.h>              /* StringMatch() */
+#include <logging.h>
 
 enum editxmltypesequence
 {
@@ -344,20 +347,22 @@ static PromiseResult KeepEditXmlPromise(EvalContext *ctx, const Promise *pp,
 static bool VerifyXPathBuild(EvalContext *ctx, const Attributes *attr, const Promise *pp, EditContext *edcontext, PromiseResult *result)
 {
     assert(attr != NULL);
+    assert(pp != NULL);
     Attributes a = *attr; // TODO: Remove this copy
     xmlDocPtr doc = NULL;
     CfLock thislock;
     char lockname[CF_BUFSIZE], rawxpath[CF_BUFSIZE] = { 0 };
 
     a.transaction.ifelapsed = CF_EDIT_IFELAPSED;
 
-    if (a.xml.havebuildxpath)
-    {
-        strcpy(rawxpath, a.xml.build_xpath);
-    }
-    else
-    {
-        strcpy(rawxpath, pp->promiser);
+    int ret = snprintf(rawxpath, sizeof(rawxpath), "%s",
+        a.xml.havebuildxpath ? a.xml.build_xpath : pp->promiser);
+    if (ret < 0 ||(size_t)ret >= sizeof(rawxpath)) {
+        Log(LOG_LEVEL_VERBOSE, "Build XPath is too long (%d >= %zu)", ret, sizeof(rawxpath));
+        RecordFailure(ctx, pp, &a,
+                      "The promised build XPath build is too long");
+        *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL);
+        return false;
     }
 
     if (!SanityCheckXPathBuild(ctx, &a, pp, result))