You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
2.3 KiB
83 lines
2.3 KiB
autofs-5.1.0 - check options length before use in parse_amd.c |
|
|
|
From: Ian Kent <ikent@redhat.com> |
|
|
|
Check for temporary buffer overflow before copy at several places in |
|
modules/parse_amd.c. |
|
--- |
|
CHANGELOG | 1 + |
|
modules/parse_amd.c | 36 ++++++++++++++++++++++++++++++++---- |
|
2 files changed, 33 insertions(+), 4 deletions(-) |
|
|
|
--- autofs-5.0.7.orig/CHANGELOG |
|
+++ autofs-5.0.7/CHANGELOG |
|
@@ -141,6 +141,7 @@ |
|
- check amd lex buffer len before copy. |
|
- add return check in ldap check_map_indirect(). |
|
- check host macro is set before use. |
|
+- check options length before use in parse_amd.c. |
|
|
|
25/07/2012 autofs-5.0.7 |
|
======================= |
|
--- autofs-5.0.7.orig/modules/parse_amd.c |
|
+++ autofs-5.0.7/modules/parse_amd.c |
|
@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_p |
|
{ |
|
char target[PATH_MAX + 1]; |
|
|
|
- if (!entry->map_type) |
|
+ if (!entry->map_type) { |
|
+ if (strlen(entry->fs) > PATH_MAX) { |
|
+ error(ap->logopt, MODPREFIX |
|
+ "error: fs option length is too long"); |
|
+ return 0; |
|
+ } |
|
strcpy(target, entry->fs); |
|
- else { |
|
+ } else { |
|
+ if (strlen(entry->fs) + |
|
+ strlen(entry->map_type) + 5 > PATH_MAX) { |
|
+ error(ap->logopt, MODPREFIX |
|
+ "error: fs + maptype options length is too long"); |
|
+ return 0; |
|
+ } |
|
strcpy(target, entry->map_type); |
|
strcat(target, ",amd:"); |
|
strcat(target, entry->fs); |
|
@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_p |
|
const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL; |
|
int ret; |
|
|
|
- if (entry->sublink) |
|
+ if (entry->sublink) { |
|
+ if (strlen(entry->sublink) > PATH_MAX) { |
|
+ error(ap->logopt, MODPREFIX |
|
+ "error: sublink option length is too long"); |
|
+ return 0; |
|
+ } |
|
strcpy(target, entry->sublink); |
|
- else |
|
+ } else { |
|
+ if (strlen(entry->fs) > PATH_MAX) { |
|
+ error(ap->logopt, MODPREFIX |
|
+ "error: fs option length is too long"); |
|
+ return 0; |
|
+ } |
|
strcpy(target, entry->fs); |
|
+ } |
|
|
|
if (!(flags & CONF_AUTOFS_USE_LOFS)) |
|
goto symlink; |
|
@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_po |
|
unsigned int umount = 0; |
|
int ret = 0; |
|
|
|
+ if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) { |
|
+ error(ap->logopt, MODPREFIX |
|
+ "error: rhost + rfs options length is too long"); |
|
+ return 0; |
|
+ } |
|
+ |
|
strcpy(target, entry->rhost); |
|
strcat(target, ":"); |
|
strcat(target, entry->rfs);
|
|
|