autofs-5.1.0 - check options length before use in parse_amd.c
From: Ian Kent <ikent@redhat.com>
Check for temporary buffer overflow before copy at several places in
modules/parse_amd.c.
---
CHANGELOG | 1 +
modules/parse_amd.c | 36 ++++++++++++++++++++++++++++++++----
2 files changed, 33 insertions(+), 4 deletions(-)
--- autofs-5.0.7.orig/CHANGELOG
+++ autofs-5.0.7/CHANGELOG
@@ -141,6 +141,7 @@
- check amd lex buffer len before copy.
- add return check in ldap check_map_indirect().
- check host macro is set before use.
+- check options length before use in parse_amd.c.
25/07/2012 autofs-5.0.7
=======================
--- autofs-5.0.7.orig/modules/parse_amd.c
+++ autofs-5.0.7/modules/parse_amd.c
@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_p
{
char target[PATH_MAX + 1];
- if (!entry->map_type)
+ if (!entry->map_type) {
+ if (strlen(entry->fs) > PATH_MAX) {
+ error(ap->logopt, MODPREFIX
+ "error: fs option length is too long");
+ return 0;
+ }
strcpy(target, entry->fs);
- else {
+ } else {
+ if (strlen(entry->fs) +
+ strlen(entry->map_type) + 5 > PATH_MAX) {
+ error(ap->logopt, MODPREFIX
+ "error: fs + maptype options length is too long");
+ return 0;
+ }
strcpy(target, entry->map_type);
strcat(target, ",amd:");
strcat(target, entry->fs);
@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_p
const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;
int ret;
- if (entry->sublink)
+ if (entry->sublink) {
+ if (strlen(entry->sublink) > PATH_MAX) {
+ error(ap->logopt, MODPREFIX
+ "error: sublink option length is too long");
+ return 0;
+ }
strcpy(target, entry->sublink);
- else
+ } else {
+ if (strlen(entry->fs) > PATH_MAX) {
+ error(ap->logopt, MODPREFIX
+ "error: fs option length is too long");
+ return 0;
+ }
strcpy(target, entry->fs);
+ }
if (!(flags & CONF_AUTOFS_USE_LOFS))
goto symlink;
@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_po
unsigned int umount = 0;
int ret = 0;
+ if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {
+ error(ap->logopt, MODPREFIX
+ "error: rhost + rfs options length is too long");
+ return 0;
+ }
+
strcpy(target, entry->rhost);
strcat(target, ":");
strcat(target, entry->rfs);