From 91452c68e80985a756087258b4b7dd904c7fe475 Mon Sep 17 00:00:00 2001
From: Lars Erik Wik <lars.erik.wik@northern.tech>
Date: Fri, 30 Jan 2026 11:03:48 +0100
Subject: [PATCH] Fixed buffer overflow in the files promise

Ticket: SEC-1892
Changelog: Title
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
(cherry picked from commit 0d3db5c6feddeeadce03f039a6ce00e8b9bd2120)
---
 cf-agent/verify_files.c | 43 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c
index b048fa37d2..b963b45950 100644
--- a/cf-agent/verify_files.c
+++ b/cf-agent/verify_files.c
@@ -60,6 +60,9 @@
 #include <evalfunction.h>
 #include <changes_chroot.h>     /* PrepareChangesChroot(), RecordFileChangedInChroot() */
 #include <cf3.defs.h>
+#include <logging.h>
+#include <stddef.h>
+#include <string.h>
 
 static PromiseResult FindFilePromiserObjects(EvalContext *ctx, const Promise *pp);
 static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promise *pp);
@@ -1013,12 +1016,28 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename,
         if ((vp = PromiseGetConstraintAsRval(pp, "edit_line", RVAL_TYPE_FNCALL)))
         {
             fp = (FnCall *) vp;
-            strcpy(edit_bundle_name, fp->name);
+            size_t ret = strlcpy(edit_bundle_name, fp->name, sizeof(edit_bundle_name));
+            if (ret >= sizeof(edit_bundle_name))
+            {
+                RecordFailure(ctx, pp, a,
+                    "The edit_line bundle name is too long (%zu >= %zu)",
+                    ret, sizeof(edit_bundle_name));
+                result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+                goto exit;
+            }
             args = fp->args;
         }
         else if ((vp = PromiseGetConstraintAsRval(pp, "edit_line", RVAL_TYPE_SCALAR)))
         {
-            strcpy(edit_bundle_name, (char *) vp);
+            size_t ret = strlcpy(edit_bundle_name, (char *) vp, sizeof(edit_bundle_name));
+            if (ret >= sizeof(edit_bundle_name))
+            {
+                RecordFailure(ctx, pp, a,
+                    "The edit_line bundle name is too long (%zu >= %zu)",
+                    ret, sizeof(edit_bundle_name));
+                result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+                goto exit;
+            }
             args = NULL;
         }
         else
@@ -1051,12 +1070,28 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename,
         if ((vp = PromiseGetConstraintAsRval(pp, "edit_xml", RVAL_TYPE_FNCALL)))
         {
             fp = (FnCall *) vp;
-            strcpy(edit_bundle_name, fp->name);
+            size_t ret = strlcpy(edit_bundle_name, fp->name, sizeof(edit_bundle_name));
+            if (ret >= sizeof(edit_bundle_name))
+            {
+                RecordFailure(ctx, pp, a,
+                    "The edit_xml bundle name is too long (%zu >= %zu)",
+                    ret, sizeof(edit_bundle_name));
+                result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+                goto exit;
+            }
             args = fp->args;
         }
         else if ((vp = PromiseGetConstraintAsRval(pp, "edit_xml", RVAL_TYPE_SCALAR)))
         {
-            strcpy(edit_bundle_name, (char *) vp);
+            size_t ret = strlcpy(edit_bundle_name, (char *) vp, sizeof(edit_bundle_name));
+            if (ret >= sizeof(edit_bundle_name))
+            {
+                RecordFailure(ctx, pp, a,
+                    "The edit_xml bundle name is too long (%zu >= %zu)",
+                    ret, sizeof(edit_bundle_name));
+                result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
+                goto exit;
+            }
             args = NULL;
         }
         else