autofs-5.1.0 - check options length before use in parse_amd.c

From: Ian Kent <ikent@redhat.com>

Check for temporary buffer overflow before copy at several places in

modules/parse_amd.c.

---

 CHANGELOG           |    1 +

 modules/parse_amd.c |   36 ++++++++++++++++++++++++++++++++----

 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG

index 20290fc..81aadca 100644

--- a/CHANGELOG

+++ b/CHANGELOG

@@ -16,6 +16,7 @@

 - check amd lex buffer len before copy.

 - add return check in ldap check_map_indirect().

 - check host macro is set before use.

+- check options length before use in parse_amd.c.

 04/06/2014 autofs-5.1.0

 =======================

diff --git a/modules/parse_amd.c b/modules/parse_amd.c

index 25fe4aa..6764152 100644

--- a/modules/parse_amd.c

+++ b/modules/parse_amd.c

@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_point *ap, const char *name,

 {

 	char target[PATH_MAX + 1];

-	if (!entry->map_type)

+	if (!entry->map_type) {

+		if (strlen(entry->fs) > PATH_MAX) {

+			error(ap->logopt, MODPREFIX

+			     "error: fs option length is too long");

+			return 0;

+		}

 		strcpy(target, entry->fs);

-	else {

+	} else {

+		if (strlen(entry->fs) +

+		    strlen(entry->map_type) + 5 > PATH_MAX) {

+			error(ap->logopt, MODPREFIX

+			     "error: fs + maptype options length is too long");

+			return 0;

+		}

 		strcpy(target, entry->map_type);

 		strcat(target, ",amd:");

 		strcat(target, entry->fs);

@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_point *ap, const char *name,

 	const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;

 	int ret;

-	if (entry->sublink)

+	if (entry->sublink) {

+		if (strlen(entry->sublink) > PATH_MAX) {

+			error(ap->logopt, MODPREFIX

+			     "error: sublink option length is too long");

+			return 0;

+		}

 		strcpy(target, entry->sublink);

-	else

+	} else {

+		if (strlen(entry->fs) > PATH_MAX) {

+			error(ap->logopt, MODPREFIX

+			     "error: fs option length is too long");

+			return 0;

+		}

 		strcpy(target, entry->fs);

+	}

 	if (!(flags & CONF_AUTOFS_USE_LOFS))

 		goto symlink;

@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_point *ap, const char *name,

 	unsigned int umount = 0;

 	int ret = 0;

+	if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {

+		error(ap->logopt, MODPREFIX

+		     "error: rhost + rfs options length is too long");

+		return 0;

+	}

+

 	strcpy(target, entry->rhost);

 	strcat(target, ":");

 	strcat(target, entry->rfs);