Blob Blame History Raw
autofs-5.1.0 - check options length before use in parse_amd.c

From: Ian Kent <ikent@redhat.com>

Check for temporary buffer overflow before copy at several places in
modules/parse_amd.c.
---
 CHANGELOG           |    1 +
 modules/parse_amd.c |   36 ++++++++++++++++++++++++++++++++----
 2 files changed, 33 insertions(+), 4 deletions(-)

--- autofs-5.0.7.orig/CHANGELOG
+++ autofs-5.0.7/CHANGELOG
@@ -141,6 +141,7 @@
 - check amd lex buffer len before copy.
 - add return check in ldap check_map_indirect().
 - check host macro is set before use.
+- check options length before use in parse_amd.c.
 
 25/07/2012 autofs-5.0.7
 =======================
--- autofs-5.0.7.orig/modules/parse_amd.c
+++ autofs-5.0.7/modules/parse_amd.c
@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_p
 {
 	char target[PATH_MAX + 1];
 
-	if (!entry->map_type)
+	if (!entry->map_type) {
+		if (strlen(entry->fs) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->fs);
-	else {
+	} else {
+		if (strlen(entry->fs) +
+		    strlen(entry->map_type) + 5 > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs + maptype options length is too long");
+			return 0;
+		}
 		strcpy(target, entry->map_type);
 		strcat(target, ",amd:");
 		strcat(target, entry->fs);
@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_p
 	const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;
 	int ret;
 
-	if (entry->sublink)
+	if (entry->sublink) {
+		if (strlen(entry->sublink) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: sublink option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->sublink);
-	else
+	} else {
+		if (strlen(entry->fs) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->fs);
+	}
 
 	if (!(flags & CONF_AUTOFS_USE_LOFS))
 		goto symlink;
@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_po
 	unsigned int umount = 0;
 	int ret = 0;
 
+	if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {
+		error(ap->logopt, MODPREFIX
+		     "error: rhost + rfs options length is too long");
+		return 0;
+	}
+
 	strcpy(target, entry->rhost);
 	strcat(target, ":");
 	strcat(target, entry->rfs);