otp: Copy strings with explicit limiting
When copying username, challenge and password in otp_pw_valid, use
strlcpy accepting explicit destination size and verify its result,
instead of first assuming or verifying the string will fit and then
doing unlimited strcpy.
This silences the following Coverity errors.
Error: STRING_OVERFLOW (CWE-120):
freeradius-server-3.0.4rc2/src/modules/rlm_otp/otp_pw_valid.c:89: fixed_size_dest: You might overrun the 32 byte fixed-size string "otp_request.username" by copying "username" without checking the length.
Error: STRING_OVERFLOW (CWE-120):
freeradius-server-3.0.4rc2/src/modules/rlm_otp/otp_pw_valid.c:90: fixed_size_dest: You might overrun the 17 byte fixed-size string "otp_request.challenge" by copying "challenge" without checking the length.
freeradius-server-3.0.4rc2/src/modules/rlm_otp/otp_pw_valid.c:90: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
Error: STRING_OVERFLOW (CWE-120):
freeradius-server-3.0.4rc2/src/modules/rlm_otp/otp_pw_valid.c:122: fixed_size_dest: You might overrun the 48 byte fixed-size string "otp_request.pwe.u.pap.passcode" by copying "rvp->data.strvalue" without checking the length.