Fix a stack overflow in mount_smbfs when hostname is too long.

The local hostname was blindly copied into the to the nn_name array.
When the hostname exceeded 16 bytes, it would overflow.  Truncate the
hostname to 15 bytes plus a 0 terminator which is the "workstation name"
suffix.

Use defensive strlcpy() when filling nn_name in all cases.

PR:		228354
Reported by:	donald.buchholz@intel.com
Reviewed by:	jpaetzel,  ian (prior version)
Discussed with:	Security Officer (gtetlow)
MFC after:	3 days
Security:	Stack overflow with the hostname.
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D15936

contrib/smbfs/lib/smb/ctx.c

@@ -549,7 +549,9 @@ smb_ctx_resolve(struct smb_ctx *ctx)
 	}
 	nn.nn_scope = ctx->ct_nb->nb_scope;
 	nn.nn_type = NBT_SERVER;
-	strcpy(nn.nn_name, ssn->ioc_srvname);
+	if (strlen(ssn->ioc_srvname) > NB_NAMELEN)
+		return NBERROR(NBERR_NAMETOOLONG);
+	strlcpy(nn.nn_name, ssn->ioc_srvname, sizeof(nn.nn_name));
 	error = nb_sockaddr(sap, &nn, &saserver);
 	nb_snbfree(sap);
 	if (error) {
@@ -565,7 +567,11 @@ smb_ctx_resolve(struct smb_ctx *ctx)
 		}
 		nls_str_upper(ctx->ct_locname, ctx->ct_locname);
 	}
-	strcpy(nn.nn_name, ctx->ct_locname);
+	/*
+	 * Truncate the local host name to NB_NAMELEN-1 which gives a
+	 * suffix of 0 which is "workstation name".
+	 */
+	strlcpy(nn.nn_name, ctx->ct_locname, NB_NAMELEN);
 	nn.nn_type = NBT_WKSTA;
 	nn.nn_scope = ctx->ct_nb->nb_scope;
 	error = nb_sockaddr(NULL, &nn, &salocal);

contrib/smbfs/lib/smb/nbns_rq.c

@@ -74,7 +74,7 @@ nbns_resolvename(const char *name, struct nb_ctx *ctx, struct sockaddr **adpp)
 	if (error)
 		return error;
 	bzero(&nn, sizeof(nn));
-	strcpy(nn.nn_name, name);
+	strlcpy(nn.nn_name, name, sizeof(nn.nn_name));
 	nn.nn_scope = ctx->nb_scope;
 	nn.nn_type = NBT_SERVER;
 	rqp->nr_nmflags = NBNS_NMFLAG_RD;