create_tempfile: pass pointer to full pathname to strlcat()

Fixes a potential buffer overrun.  Also check strlcpy() and strlcat()
return value to detect truncations.  Based on a diff from naddy@.
OK naddy@ tb@ deraadt@

diff --git a/usr.bin/xinstall/xinstall.c b/usr.bin/xinstall/xinstall.c
index 6183347..dccb178 100644 (file)
--- a/usr.bin/xinstall/xinstall.c
+++ b/usr.bin/xinstall/xinstall.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: xinstall.c,v 1.77 2022/12/04 23:50:50 cheloha Exp $   */
+/*     $OpenBSD: xinstall.c,v 1.78 2024/10/17 15:38:38 millert Exp $   */
 /*     $NetBSD: xinstall.c,v 1.9 1995/12/20 10:25:17 jonathan Exp $    */
 
 /*
@@ -621,13 +621,19 @@ create_tempfile(char *path, char *temp, size_t tsize)
 {
        char *p;
 
-       strlcpy(temp, path, tsize);
+       if (strlcpy(temp, path, tsize) >= tsize) {
+               errno = ENAMETOOLONG;
+               return(-1);
+       }
        if ((p = strrchr(temp, '/')) != NULL)
                p++;
        else
                p = temp;
        *p = '\0';
-       strlcat(p, "INS@XXXXXXXXXX", tsize);
+       if (strlcat(temp, "INS@XXXXXXXXXX", tsize) >= tsize) {
+               errno = ENAMETOOLONG;
+               return(-1);
+       }
 
        return(mkstemp(temp));
 }