autofs-5.1.0 - check amd lex buffer len before copy

From: Ian Kent <ikent@redhat.com>

Guard against lex to yacc communication buffer overflow.

---

 CHANGELOG         |    1 +

 modules/amd_tok.l |   49 +++++++++++++++++++++++++++++++------------------

 2 files changed, 32 insertions(+), 18 deletions(-)

--- autofs-5.0.7.orig/CHANGELOG

+++ autofs-5.0.7/CHANGELOG

@@ -138,6 +138,7 @@

 - fix buffer size checks in get_network_proximity().

 - fix leak in get_network_proximity().

 - fix buffer size checks in merge_options().

+- check amd lex buffer len before copy.

 25/07/2012 autofs-5.0.7

 =======================

--- autofs-5.0.7.orig/modules/amd_tok.l

+++ autofs-5.0.7/modules/amd_tok.l

@@ -22,6 +22,7 @@

 # undef ECHO

 #endif

 static void amd_echo(void);	/* forward definition */

+static void amd_copy_buffer(void);

 #define ECHO amd_echo()

 int amd_wrap(void);

@@ -125,26 +126,26 @@ CUTSEP		(\|\||\/)

 	{MAPOPT} {

 		BEGIN(MAPOPTVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return MAP_OPTION;

 	}

 	{FSOPTS} {

 		BEGIN(FSOPTVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return FS_OPTION;

 	}

 	{MNTOPT} {

 		BEGIN(MNTOPTVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return MNT_OPTION;

 	}

 	{SELOPT} {

 		BEGIN(SELOPTVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SELECTOR;

 	}

@@ -152,13 +153,13 @@ CUTSEP		(\|\||\/)

 	{SEL1ARG} {

 		BEGIN(SELARGVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SELECTOR;

 	}

 	{SEL2ARG} {

 		BEGIN(SELARGVAL);

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SELECTOR;

 	}

@@ -171,7 +172,7 @@ CUTSEP		(\|\||\/)

 	#.*  { return COMMENT; }

 	{OTHR} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return OTHER;

 	}

 }

@@ -201,22 +202,22 @@ CUTSEP		(\|\||\/)

 	":=" { return OPTION_ASSIGN; }

 	{FSTYPE} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return FS_TYPE;

 	}

 	{MAPTYPE} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return MAP_TYPE;

 	}

 	{CHEOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return CACHE_OPTION;

 	}

 	{FOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return FS_OPT_VALUE;

 	}

 }

@@ -246,7 +247,7 @@ CUTSEP		(\|\||\/)

 	":=" { return OPTION_ASSIGN; }

 	{FOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return FS_OPT_VALUE;

 	}

 }

@@ -278,7 +279,7 @@ CUTSEP		(\|\||\/)

 	"," { return COMMA; }

 	{OPTS} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return OPTION;

 	}

 }

@@ -310,7 +311,7 @@ CUTSEP		(\|\||\/)

 	"!=" { return NOT_EQUAL; }

 	{SOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SELECTOR_VALUE;

 	}

 }

@@ -335,24 +336,24 @@ CUTSEP		(\|\||\/)

 	"(" { return LBRACKET; }

 	{NOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SEL_ARG_VALUE;

 	}

 	{SOPT}/"," {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SEL_ARG_VALUE;

 	}

 	"," { return COMMA; }

 	{SOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SEL_ARG_VALUE;

 	}

 	{FOPT} {

-		strcpy(amd_lval.strtype, amd_text);

+		amd_copy_buffer();

 		return SEL_ARG_VALUE;

 	}

@@ -368,6 +369,18 @@ int amd_wrap(void)

 	return 1;

 }

+static void amd_copy_buffer(void)

+{

+	if (amd_leng < 2048)

+		strcpy(amd_lval.strtype, amd_text);

+	else {

+		strncpy(amd_lval.strtype, amd_text, 2047);

+		amd_lval.strtype[2047] = '\0';

+		logmsg("warning: truncated option near %s\n",

+			&amd_lval.strtype[2030]);

+	}

+}

+

 static void amd_echo(void)

 {

 	logmsg("%s\n", amd_text);