Make sure strncpy'ed string are 0-terminated

spice_server_set_ticket and spice_server_set_addr get (library)
user-provided strings as arguments, and copy them to fixed-size
buffers using strncpy. However, if these strings are too long,
the copied string will not be 0-terminated, which will cause issues
later. This commit copies one byte less than the size of the
destination buffer. In both cases, this buffer is a static global
variable, so its memory will be set to 0.

1 files changed, 2 insertions, 2 deletions

diff --git a/server/reds.c b/server/reds.c
index a896cf2a..7f729ca5 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -3981,7 +3981,7 @@ SPICE_GNUC_VISIBLE int spice_server_set_port(SpiceServer *s, int port)
 SPICE_GNUC_VISIBLE void spice_server_set_addr(SpiceServer *s, const char *addr, int flags)
 {
     spice_assert(reds == s);
-    strncpy(spice_addr, addr, sizeof(spice_addr));
+    strncpy(spice_addr, addr, sizeof(spice_addr)-1);
     if (flags & SPICE_ADDR_FLAG_IPV4_ONLY) {
         spice_family = PF_INET;
     }
@@ -4072,7 +4072,7 @@ SPICE_GNUC_VISIBLE int spice_server_set_ticket(SpiceServer *s,
         taTicket.expiration_time = now + lifetime;
     }
     if (passwd != NULL) {
-        strncpy(taTicket.password, passwd, sizeof(taTicket.password));
+        strncpy(taTicket.password, passwd, sizeof(taTicket.password)-1);
     } else {
         memset(taTicket.password, 0, sizeof(taTicket.password));
         taTicket.expiration_time = 0;