quot: Fix benign buffer overflow

If it encounters an inode whose owner does not have a pw entry, quot
allocates a 7-byte buffer (8 in practice, since that is the minimum
allocation size) and uses it to store the numeric uid preceded by a
hash character.  This will overflow the allocated buffer if the UID
exceeds 6 decimal digits.  Avoid this by using asprintf() instead.

While here, simplify the common case as well using strdup().

Reported by:	Igor Gabriel Sousa e Souza <igor@bsdtrust.com>
MFC after:	3 days
Reviewed by:	obiwac, emaste
Differential Revision:	https://reviews.freebsd.org/D53129

1 files changed, 2 insertions, 6 deletions

diff --git a/usr.sbin/quot/quot.c b/usr.sbin/quot/quot.c
index 4152c498371a..c11c46a500a1 100644
--- a/usr.sbin/quot/quot.c
+++ b/usr.sbin/quot/quot.c
@@ -280,14 +280,10 @@ user(uid_t uid)
 		    usr--) {
 			if (!usr->name) {
 				usr->uid = uid;
-
 				if (!(pwd = getpwuid(uid))) {
-					if ((usr->name = (char *)malloc(7)))
-						sprintf(usr->name,"#%d",uid);
+					asprintf(&usr->name, "#%u", uid);
 				} else {
-					if ((usr->name = (char *)
-					    malloc(strlen(pwd->pw_name) + 1)))
-						strcpy(usr->name,pwd->pw_name);
+					usr->name = strdup(pwd->pw_name);
 				}
 				if (!usr->name)
 					errx(1, "allocate users");