Added space for 'pycmd' string termination needed by 'strncat' and replaced 'sprintf' with 'strncat'

Martin-Rehr · Martin-Rehr · commit a93e3181c499 · 2025-08-07T16:37:08.000+02:00
diff --git a/mig/src/libpam-mig/migauthhandler.c b/mig/src/libpam-mig/migauthhandler.c
@@ -368,9 +368,9 @@ static bool mig_reg_auth_attempt(const unsigned int mode,
         /* We don't exit hard here to make sure other auth types may follow */
         return false;
     }
-    char pycmd[MAX_PYCMD_LENGTH] =
+    /* NOTE: Allocate space for string terminator '\0' added by strncat after concatenation */
+    char pycmd[MAX_PYCMD_LENGTH+1] =
         "(authorized, disconnect) = validate_auth_attempt(configuration, 'sftp-subsys', ";
-    char pytmp[MAX_PYCMD_LENGTH];
     /* Always password auth here as mentioned in the above comment */
     strncat(&pycmd[0], "'password', ", MAX_PYCMD_LENGTH - strlen(pycmd));
 
@@ -380,8 +380,9 @@ static bool mig_reg_auth_attempt(const unsigned int mode,
     strncat(&pycmd[0], address, MAX_PYCMD_LENGTH - strlen(pycmd));
     strncat(&pycmd[0], "', ", MAX_PYCMD_LENGTH - strlen(pycmd));
     if (secret != NULL) {
-        sprintf(&pytmp[0], "secret='%s', ", secret);
-        strncat(&pycmd[0], &pytmp[0], MAX_PYCMD_LENGTH - strlen(pycmd));
+        strncat(&pycmd[0], "secret='", MAX_PYCMD_LENGTH - strlen(pycmd));
+        strncat(&pycmd[0], secret, MAX_PYCMD_LENGTH - strlen(pycmd));
+        strncat(&pycmd[0], "', ", MAX_PYCMD_LENGTH - strlen(pycmd));
     }
     if (mode & MIG_INVALID_USERNAME) {
         strncat(&pycmd[0], "invalid_username=True, ",
