From fb474cd65aa6771a4361f626d89d2878eaeef9ff Mon Sep 17 00:00:00 2001
From: Lars Erik Wik <lars.erik.wik@northern.tech>
Date: Wed, 10 Dec 2025 16:59:47 +0100
Subject: [PATCH] Fixed buffer overflow in build XPath for edit_xml

Ticket: ENT-13550
Changelog: Title
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
---
 cf-agent/files_editxml.c | 19 ++++++++++++-------
 libntech                 |  2 +-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/cf-agent/files_editxml.c b/cf-agent/files_editxml.c
index 781dfb5eb0..0bc01b5b8a 100644
--- a/cf-agent/files_editxml.c
+++ b/cf-agent/files_editxml.c
@@ -29,6 +29,8 @@
 #include <promises.h>
 #include <files_names.h>
 #include <files_edit.h>
+#include <stddef.h>
+#include <stdio.h>
 #include <vars.h>
 #include <item_lib.h>
 #include <sort.h>
@@ -42,6 +44,7 @@
 #include <ornaments.h>
 #include <verify_classes.h>
 #include <regex.h>              /* StringMatch() */
+#include <logging.h>
 
 enum editxmltypesequence
 {
@@ -344,6 +347,7 @@ static PromiseResult KeepEditXmlPromise(EvalContext *ctx, const Promise *pp,
 static bool VerifyXPathBuild(EvalContext *ctx, const Attributes *attr, const Promise *pp, EditContext *edcontext, PromiseResult *result)
 {
     assert(attr != NULL);
+    assert(pp != NULL);
     Attributes a = *attr; // TODO: Remove this copy
     xmlDocPtr doc = NULL;
     CfLock thislock;
@@ -351,13 +355,14 @@ static bool VerifyXPathBuild(EvalContext *ctx, const Attributes *attr, const Pro
 
     a.transaction.ifelapsed = CF_EDIT_IFELAPSED;
 
-    if (a.xml.havebuildxpath)
-    {
-        strcpy(rawxpath, a.xml.build_xpath);
-    }
-    else
-    {
-        strcpy(rawxpath, pp->promiser);
+    int ret = snprintf(rawxpath, sizeof(rawxpath), "%s",
+        a.xml.havebuildxpath ? a.xml.build_xpath : pp->promiser);
+    if (ret < 0 ||(size_t)ret >= sizeof(rawxpath)) {
+        Log(LOG_LEVEL_VERBOSE, "Build XPath is too long (%d >= %zu)", ret, sizeof(rawxpath));
+        RecordFailure(ctx, pp, &a,
+                      "The promised build XPath build is too long");
+        *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL);
+        return false;
     }
 
     if (!SanityCheckXPathBuild(ctx, &a, pp, result))
diff --git a/libntech b/libntech
index fb0ea942ad..476b57f286 160000
--- a/libntech
+++ b/libntech
@@ -1 +1 @@
-Subproject commit fb0ea942ada6f87243022edc152e498c10041a86
+Subproject commit 476b57f286aa54400355e450c537603338c3b833