pbrd: remove unsafe string copy

A user could overflow the pbr_ifp->mapname buffer by entering a pbr-map
name longer than 100 characters.

Coverity #1467821
Coverity #1467821

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/pbrd/pbr_vty.c b/pbrd/pbr_vty.c
index 87ec3804a53778164475fc6ed100f29a0aed7317..f598b2645c656e821123bb45ec95ff8bee7047e2 100644 (file)
--- a/pbrd/pbr_vty.c
+++ b/pbrd/pbr_vty.c
@@ -322,27 +322,20 @@ DEFPY (pbr_policy,
 
        if (no) {
                if (strcmp(pbr_ifp->mapname, mapname) == 0) {
-                       strcpy(pbr_ifp->mapname, "");
-
+                       pbr_ifp->mapname[0] = '\0';
                        if (pbrm)
                                pbr_map_interface_delete(pbrm, ifp);
                }
        } else {
-               if (strcmp(pbr_ifp->mapname, "") == 0) {
-                       strcpy(pbr_ifp->mapname, mapname);
-
-                       if (pbrm)
-                               pbr_map_add_interface(pbrm, ifp);
-               } else {
-                       if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
-                               old_pbrm = pbrm_find(pbr_ifp->mapname);
-                               if (old_pbrm)
-                                       pbr_map_interface_delete(old_pbrm, ifp);
-                               strcpy(pbr_ifp->mapname, mapname);
-                               if (pbrm)
-                                       pbr_map_add_interface(pbrm, ifp);
-                       }
+               if (strcmp(pbr_ifp->mapname, "") != 0) {
+                       old_pbrm = pbrm_find(pbr_ifp->mapname);
+                       if (old_pbrm)
+                               pbr_map_interface_delete(old_pbrm, ifp);
                }
+               snprintf(pbr_ifp->mapname, sizeof(pbr_ifp->mapname),
+                        "%s", mapname);
+               if (pbrm)
+                       pbr_map_add_interface(pbrm, ifp);
        }
 
        return CMD_SUCCESS;