From 90220ca8c932a21a6ea457a42bcca7929a10d6a8 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 25 Nov 2025 07:52:55 -0600 Subject: [PATCH] Fixed length checking in StatFile If a symlink resolves to a path that is longer than the maximum allowed by the protocol, currently 4088 bytes, then an error response is generated. Previously the server side would ignore an error from SendTransaction() due to the large size and the client-side would hang/timeout waiting for a response. Ticket: ENT-13542 Changelog: title --- cf-serverd/server_common.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c index 916bbdffcc..d6859bed2c 100644 --- a/cf-serverd/server_common.c +++ b/cf-serverd/server_common.c @@ -732,6 +732,7 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) /* the simplest way to transfer the data is to convert them into */ /* plain text and interpret them on the other side. */ { + assert(conn != NULL); Stat cfst; struct stat statbuf, statlinkbuf; char linkbuf[CF_BUFSIZE], filename[CF_BUFSIZE - 128]; @@ -874,10 +875,17 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) memset(sendbuffer, 0, CF_MSGSIZE); + // +3 because we need to prepend 'OK:' to the path + if (strlen(linkbuf)+3 > CF_MSGSIZE) { + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "BAD: Symlink resolves to a path too long (%ld) to send over the protocol.", strlen(linkbuf)+3); + assert(ret > 0 && ret < CF_MSGSIZE); + SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE); + return -1; + } if (cfst.cf_readlink != NULL) { - strcpy(sendbuffer, "OK:"); - strcat(sendbuffer, cfst.cf_readlink); + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "OK:%s", linkbuf); + assert(ret > 0 && ret < CF_MSGSIZE); } else {