From 436f1dad921b7c208c9c64d146d447c714cdab7f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 25 Nov 2025 07:52:55 -0600 Subject: [PATCH] Fixed length checking in StatFile If a symlink resolves to a path that is longer than the maximum allowed by the protocol, currently 4088 bytes, then an error response is generated. Previously the server side would ignore an error from SendTransaction() due to the large size and the client-side would hang/timeout waiting for a response. Ticket: ENT-13542 Changelog: title (cherry picked from commit 90220ca8c932a21a6ea457a42bcca7929a10d6a8) --- cf-serverd/server_common.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c index 6322a1a9d2..09057687b1 100644 --- a/cf-serverd/server_common.c +++ b/cf-serverd/server_common.c @@ -704,6 +704,7 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) /* the simplest way to transfer the data is to convert them into */ /* plain text and interpret them on the other side. */ { + assert(conn != NULL); Stat cfst; struct stat statbuf, statlinkbuf; char linkbuf[CF_BUFSIZE], filename[CF_BUFSIZE - 128]; @@ -846,10 +847,17 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) memset(sendbuffer, 0, CF_MSGSIZE); + // +3 because we need to prepend 'OK:' to the path + if (strlen(linkbuf)+3 > CF_MSGSIZE) { + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "BAD: Symlink resolves to a path too long (%ld) to send over the protocol.", strlen(linkbuf)+3); + assert(ret > 0 && ret < CF_MSGSIZE); + SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE); + return -1; + } if (cfst.cf_readlink != NULL) { - strcpy(sendbuffer, "OK:"); - strcat(sendbuffer, cfst.cf_readlink); + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "OK:%s", linkbuf); + assert(ret > 0 && ret < CF_MSGSIZE); } else {