From 526107a7536c3ae8d7de2b38bc668b940f52ca35 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Sun, 23 Oct 2016 17:02:24 +0200
Subject: [PATCH] mkgroup/mkpasswd: Fix potential buffer overwrite in corner
 case

Fixes Coverity CIDs 60076, 60077 and 60081

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
 winsup/utils/mkgroup.c  | 16 ++++++++++------
 winsup/utils/mkpasswd.c |  8 +++++---
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/winsup/utils/mkgroup.c b/winsup/utils/mkgroup.c
index a9949d5f1..fc36e274c 100644
--- a/winsup/utils/mkgroup.c
+++ b/winsup/utils/mkgroup.c
@@ -296,10 +296,12 @@ enum_local_groups (domlist_t *mach, const char *sep,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, domain_name);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].lgrpi0_name);
+	      p = wcpcpy (domname, domain_name);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].lgrpi0_name, GNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = MAX_DOMAIN_NAME_LEN + 1;
 	      if (!LookupAccountNameW (machine, domname,
@@ -434,10 +436,12 @@ enum_groups (domlist_t *mach, const char *sep, DWORD id_offset,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, machine);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].grpi2_name);
+	      p = wcpcpy (domname, machine);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].grpi2_name, GNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = MAX_DOMAIN_NAME_LEN + 1;
 	      if (!LookupAccountNameW (machine, domname, psid, &sid_length,
diff --git a/winsup/utils/mkpasswd.c b/winsup/utils/mkpasswd.c
index 27c607f47..9562eacbd 100644
--- a/winsup/utils/mkpasswd.c
+++ b/winsup/utils/mkpasswd.c
@@ -312,10 +312,12 @@ enum_users (domlist_t *mach, const char *sep, const char *passed_home_path,
 	  else if (acc_type == SidTypeDomain)
 	    {
 	      WCHAR domname[MAX_DOMAIN_NAME_LEN + UNLEN + 2];
+	      PWCHAR p;
 
-	      wcscpy (domname, machine);
-	      wcscat (domname, L"\\");
-	      wcscat (domname, buffer[i].usri3_name);
+	      p = wcpcpy (domname, machine);
+	      p = wcpcpy (p, L"\\");
+	      p = wcpncpy (p, buffer[i].usri3_name, UNLEN);
+	      *p = L'\0';
 	      sid_length = SECURITY_MAX_SID_SIZE;
 	      domname_len = sizeof (domname);
 	      if (!LookupAccountNameW (machine, domname, psid,