bridge_do_pfctl: allocate mib_name dynamically using asprintf

This is being done to reduce wasted space, simplify complexity in
the code, and to quell a Coverity warning about buffer overruns.
warning about buffer overruns.

MFC after:	1 week
Reported by:	Coverity
CID:		1006736

1 files changed, 12 insertions, 7 deletions

diff --git a/usr.sbin/bsnmpd/modules/snmp_bridge/bridge_sys.c b/usr.sbin/bsnmpd/modules/snmp_bridge/bridge_sys.c
index 24099ec5fb28..1cbc3ec6039e 100644
--- a/usr.sbin/bsnmpd/modules/snmp_bridge/bridge_sys.c
+++ b/usr.sbin/bsnmpd/modules/snmp_bridge/bridge_sys.c
@@ -1459,7 +1459,7 @@ bridge_get_pfval(uint8_t which)
 int32_t
 bridge_do_pfctl(int32_t bridge_ctl, enum snmp_op op, int32_t *val)
 {
-	char mib_name[100];
+	char *mib_oid;
 	int32_t i, s_i;
 	size_t len, s_len;
 
@@ -1474,19 +1474,24 @@ bridge_do_pfctl(int32_t bridge_ctl, enum snmp_op op, int32_t *val)
 
 	len = sizeof(i);
 
-	strcpy(mib_name, bridge_sysctl);
+	asprintf(&mib_oid, "%s%s", bridge_sysctl,
+	    bridge_pf_sysctl[bridge_ctl].name);
+	if (mib_oid == NULL)
+		return (-1);
 
-	if (sysctlbyname(strcat(mib_name,
-	    bridge_pf_sysctl[bridge_ctl].name), &i, &len,
-	    (op == SNMP_OP_SET ? &s_i : NULL), s_len) == -1) {
-		syslog(LOG_ERR, "sysctl(%s%s) failed - %s", bridge_sysctl,
-		    bridge_pf_sysctl[bridge_ctl].name, strerror(errno));
+	if (sysctlbyname(mib_oid, &i, &len, (op == SNMP_OP_SET ? &s_i : NULL),
+	    s_len) == -1) {
+		syslog(LOG_ERR, "sysctl(%s) failed - %s", mib_oid,
+		    strerror(errno));
+		free(mib_oid);
 		return (-1);
 	}
 
 	bridge_pf_sysctl[bridge_ctl].val = i;
 	*val = i;
 
+	free(mib_oid);
+
 	return (i);
 }