|
Ian Kent |
ff6f3e |
autofs-5.1.0 - check options length before use in parse_amd.c
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
From: Ian Kent <ikent@redhat.com>
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
Check for temporary buffer overflow before copy at several places in
|
|
Ian Kent |
ff6f3e |
modules/parse_amd.c.
|
|
Ian Kent |
ff6f3e |
---
|
|
Ian Kent |
ff6f3e |
CHANGELOG | 1 +
|
|
Ian Kent |
ff6f3e |
modules/parse_amd.c | 36 ++++++++++++++++++++++++++++++++----
|
|
Ian Kent |
ff6f3e |
2 files changed, 33 insertions(+), 4 deletions(-)
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
diff --git a/CHANGELOG b/CHANGELOG
|
|
Ian Kent |
ff6f3e |
index 20290fc..81aadca 100644
|
|
Ian Kent |
ff6f3e |
--- a/CHANGELOG
|
|
Ian Kent |
ff6f3e |
+++ b/CHANGELOG
|
|
Ian Kent |
ff6f3e |
@@ -16,6 +16,7 @@
|
|
Ian Kent |
ff6f3e |
- check amd lex buffer len before copy.
|
|
Ian Kent |
ff6f3e |
- add return check in ldap check_map_indirect().
|
|
Ian Kent |
ff6f3e |
- check host macro is set before use.
|
|
Ian Kent |
ff6f3e |
+- check options length before use in parse_amd.c.
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
04/06/2014 autofs-5.1.0
|
|
Ian Kent |
ff6f3e |
=======================
|
|
Ian Kent |
ff6f3e |
diff --git a/modules/parse_amd.c b/modules/parse_amd.c
|
|
Ian Kent |
ff6f3e |
index 25fe4aa..6764152 100644
|
|
Ian Kent |
ff6f3e |
--- a/modules/parse_amd.c
|
|
Ian Kent |
ff6f3e |
+++ b/modules/parse_amd.c
|
|
Ian Kent |
ff6f3e |
@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_point *ap, const char *name,
|
|
Ian Kent |
ff6f3e |
{
|
|
Ian Kent |
ff6f3e |
char target[PATH_MAX + 1];
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
- if (!entry->map_type)
|
|
Ian Kent |
ff6f3e |
+ if (!entry->map_type) {
|
|
Ian Kent |
ff6f3e |
+ if (strlen(entry->fs) > PATH_MAX) {
|
|
Ian Kent |
ff6f3e |
+ error(ap->logopt, MODPREFIX
|
|
Ian Kent |
ff6f3e |
+ "error: fs option length is too long");
|
|
Ian Kent |
ff6f3e |
+ return 0;
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
strcpy(target, entry->fs);
|
|
Ian Kent |
ff6f3e |
- else {
|
|
Ian Kent |
ff6f3e |
+ } else {
|
|
Ian Kent |
ff6f3e |
+ if (strlen(entry->fs) +
|
|
Ian Kent |
ff6f3e |
+ strlen(entry->map_type) + 5 > PATH_MAX) {
|
|
Ian Kent |
ff6f3e |
+ error(ap->logopt, MODPREFIX
|
|
Ian Kent |
ff6f3e |
+ "error: fs + maptype options length is too long");
|
|
Ian Kent |
ff6f3e |
+ return 0;
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
strcpy(target, entry->map_type);
|
|
Ian Kent |
ff6f3e |
strcat(target, ",amd:");
|
|
Ian Kent |
ff6f3e |
strcat(target, entry->fs);
|
|
Ian Kent |
ff6f3e |
@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_point *ap, const char *name,
|
|
Ian Kent |
ff6f3e |
const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;
|
|
Ian Kent |
ff6f3e |
int ret;
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
- if (entry->sublink)
|
|
Ian Kent |
ff6f3e |
+ if (entry->sublink) {
|
|
Ian Kent |
ff6f3e |
+ if (strlen(entry->sublink) > PATH_MAX) {
|
|
Ian Kent |
ff6f3e |
+ error(ap->logopt, MODPREFIX
|
|
Ian Kent |
ff6f3e |
+ "error: sublink option length is too long");
|
|
Ian Kent |
ff6f3e |
+ return 0;
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
strcpy(target, entry->sublink);
|
|
Ian Kent |
ff6f3e |
- else
|
|
Ian Kent |
ff6f3e |
+ } else {
|
|
Ian Kent |
ff6f3e |
+ if (strlen(entry->fs) > PATH_MAX) {
|
|
Ian Kent |
ff6f3e |
+ error(ap->logopt, MODPREFIX
|
|
Ian Kent |
ff6f3e |
+ "error: fs option length is too long");
|
|
Ian Kent |
ff6f3e |
+ return 0;
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
strcpy(target, entry->fs);
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
if (!(flags & CONF_AUTOFS_USE_LOFS))
|
|
Ian Kent |
ff6f3e |
goto symlink;
|
|
Ian Kent |
ff6f3e |
@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_point *ap, const char *name,
|
|
Ian Kent |
ff6f3e |
unsigned int umount = 0;
|
|
Ian Kent |
ff6f3e |
int ret = 0;
|
|
Ian Kent |
ff6f3e |
|
|
Ian Kent |
ff6f3e |
+ if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {
|
|
Ian Kent |
ff6f3e |
+ error(ap->logopt, MODPREFIX
|
|
Ian Kent |
ff6f3e |
+ "error: rhost + rfs options length is too long");
|
|
Ian Kent |
ff6f3e |
+ return 0;
|
|
Ian Kent |
ff6f3e |
+ }
|
|
Ian Kent |
ff6f3e |
+
|
|
Ian Kent |
ff6f3e |
strcpy(target, entry->rhost);
|
|
Ian Kent |
ff6f3e |
strcat(target, ":");
|
|
Ian Kent |
ff6f3e |
strcat(target, entry->rfs);
|