From 996f0081053489f78a1eb3134c1d94116fe40a4f Mon Sep 17 00:00:00 2001
From: Mingjie Shen <shen497@purdue.edu>
Date: Wed, 15 Nov 2023 16:40:07 -0500
Subject: [PATCH] aserver: fix buffer overwriting

name array should allocate space for the null terminator. Also, need to
check if client->name has enough space for strcpy.

Signed-off-by: Mingjie Shen <shen497@purdue.edu>
---
 aserver/aserver.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/aserver/aserver.c b/aserver/aserver.c
index 1742f628..50ee3992 100644
--- a/aserver/aserver.c
+++ b/aserver/aserver.c
@@ -738,7 +738,7 @@ static int snd_client_open(client_t *client)
 		ans.result = -EINVAL;
 		goto _answer;
 	}
-	name = alloca(req.namelen);
+	name = alloca(req.namelen + 1);
 	err = read(client->ctrl_fd, name, req.namelen);
 	if (err < 0) {
 		SYSERROR("read failed");
@@ -775,6 +775,10 @@ static int snd_client_open(client_t *client)
 	name[req.namelen] = '\0';
 
 	client->transport_type = req.transport_type;
+	if (sizeof(client->name) < (size_t)(req.namelen + 1)) {
+		ans.result = -ENOMEM;
+		goto _answer;
+	}
 	strcpy(client->name, name);
 	client->stream = req.stream;
 	client->mode = req.mode;