Blob Blame History Raw
autofs-5.1.0 - check amd lex buffer len before copy

From: Ian Kent <ikent@redhat.com>

Guard against lex to yacc communication buffer overflow.
---
 CHANGELOG         |    1 +
 modules/amd_tok.l |   49 +++++++++++++++++++++++++++++++------------------
 2 files changed, 32 insertions(+), 18 deletions(-)

--- autofs-5.0.7.orig/CHANGELOG
+++ autofs-5.0.7/CHANGELOG
@@ -138,6 +138,7 @@
 - fix buffer size checks in get_network_proximity().
 - fix leak in get_network_proximity().
 - fix buffer size checks in merge_options().
+- check amd lex buffer len before copy.
 
 25/07/2012 autofs-5.0.7
 =======================
--- autofs-5.0.7.orig/modules/amd_tok.l
+++ autofs-5.0.7/modules/amd_tok.l
@@ -22,6 +22,7 @@
 # undef ECHO
 #endif
 static void amd_echo(void);	/* forward definition */
+static void amd_copy_buffer(void);
 #define ECHO amd_echo()
 int amd_wrap(void);
 
@@ -125,26 +126,26 @@ CUTSEP		(\|\||\/)
 
 	{MAPOPT} {
 		BEGIN(MAPOPTVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return MAP_OPTION;
 
 	}
 
 	{FSOPTS} {
 		BEGIN(FSOPTVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return FS_OPTION;
 	}
 
 	{MNTOPT} {
 		BEGIN(MNTOPTVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return MNT_OPTION;
 	}
 
 	{SELOPT} {
 		BEGIN(SELOPTVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SELECTOR;
 	}
 
@@ -152,13 +153,13 @@ CUTSEP		(\|\||\/)
 
 	{SEL1ARG} {
 		BEGIN(SELARGVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SELECTOR;
 	}
 
 	{SEL2ARG} {
 		BEGIN(SELARGVAL);
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SELECTOR;
 	}
 
@@ -171,7 +172,7 @@ CUTSEP		(\|\||\/)
 	#.*  { return COMMENT; }
 
 	{OTHR} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return OTHER;
 	}
 }
@@ -201,22 +202,22 @@ CUTSEP		(\|\||\/)
 	":=" { return OPTION_ASSIGN; }
 
 	{FSTYPE} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return FS_TYPE;
 	}
 
 	{MAPTYPE} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return MAP_TYPE;
 	}
 
 	{CHEOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return CACHE_OPTION;
 	}
 
 	{FOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return FS_OPT_VALUE;
 	}
 }
@@ -246,7 +247,7 @@ CUTSEP		(\|\||\/)
 	":=" { return OPTION_ASSIGN; }
 
 	{FOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return FS_OPT_VALUE;
 	}
 }
@@ -278,7 +279,7 @@ CUTSEP		(\|\||\/)
 	"," { return COMMA; }
 
 	{OPTS} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return OPTION;
 	}
 }
@@ -310,7 +311,7 @@ CUTSEP		(\|\||\/)
 	"!=" { return NOT_EQUAL; }
 
 	{SOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SELECTOR_VALUE;
 	}
 }
@@ -335,24 +336,24 @@ CUTSEP		(\|\||\/)
 	"(" { return LBRACKET; }
 
 	{NOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SEL_ARG_VALUE;
 	}
 
 	{SOPT}/"," {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SEL_ARG_VALUE;
 	}
 
 	"," { return COMMA; }
 
 	{SOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SEL_ARG_VALUE;
 	}
 
 	{FOPT} {
-		strcpy(amd_lval.strtype, amd_text);
+		amd_copy_buffer();
 		return SEL_ARG_VALUE;
 	}
 
@@ -368,6 +369,18 @@ int amd_wrap(void)
 	return 1;
 }
 
+static void amd_copy_buffer(void)
+{
+	if (amd_leng < 2048)
+		strcpy(amd_lval.strtype, amd_text);
+	else {
+		strncpy(amd_lval.strtype, amd_text, 2047);
+		amd_lval.strtype[2047] = '\0';
+		logmsg("warning: truncated option near %s\n",
+			&amd_lval.strtype[2030]);
+	}
+}
+
 static void amd_echo(void)
 {
 	logmsg("%s\n", amd_text);