Blob Blame History Raw
autofs-5.1.6 - fix quoted string length calc in expandsunent()

From: Ian Kent <raven@themaw.net>

The expandsunent() function in modules/parse_sun.c fails to properly
handle the ending " in a quoted string causing the length calculation
to not account for the ending quote and also doesn't properly account
for the remainder of the string being expanded.

Also, when called again (after being called to get the length) the
allocated buffer is too small leading to out of bounds accesses.

Signed-off-by: Ian Kent <raven@themaw.net>
---
 CHANGELOG           |    1 +
 modules/parse_sun.c |    6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

--- autofs-5.0.7.orig/CHANGELOG
+++ autofs-5.0.7/CHANGELOG
@@ -353,6 +353,7 @@
 - also use strictexpire for offsets.
 - fix trailing dollar sun entry expansion.
 - initialize struct addrinfo for getaddrinfo() calls.
+- fix quoted string length calc in expandsunent().
 
 25/07/2012 autofs-5.0.7
 =======================
--- autofs-5.0.7.orig/modules/parse_sun.c
+++ autofs-5.0.7/modules/parse_sun.c
@@ -213,9 +213,11 @@ int expandsunent(const char *src, char *
 					*dst++ = *src;
 				src++;
 			}
-			if (*src && dst) {
+			if (*src) {
 				len++;
-				*dst++ = *src++;
+				if (dst)
+					*dst++ = *src;
+				src++;
 			}
 			break;