rpms/autofs
6
0
Fork 0
Code Issues Pull Requests Releases Activity
ff6f3ee6ef
autofs/autofs-5.1.0-check-amd-lex-buffer-len-before-copy.patch

193 lines
3.7 KiB
Diff
Raw Blame History

autofs-5.1.0 - check amd lex buffer len before copy
From: Ian Kent <ikent@redhat.com>
Guard against lex to yacc communication buffer overflow.
---
CHANGELOG | 1 +
modules/amd_tok.l | 49 +++++++++++++++++++++++++++++++------------------
2 files changed, 32 insertions(+), 18 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 840e099..dfbaeb1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@
- fix buffer size checks in get_network_proximity().
- fix leak in get_network_proximity().
- fix buffer size checks in merge_options().
+- check amd lex buffer len before copy.
04/06/2014 autofs-5.1.0
=======================
diff --git a/modules/amd_tok.l b/modules/amd_tok.l
index 5664f67..1d9c234 100644
--- a/modules/amd_tok.l
+++ b/modules/amd_tok.l
@@ -22,6 +22,7 @@
# undef ECHO
#endif
static void amd_echo(void); /* forward definition */
+static void amd_copy_buffer(void);
#define ECHO amd_echo()
int amd_wrap(void);
@@ -125,26 +126,26 @@ CUTSEP (\|\||\/)
{MAPOPT} {
BEGIN(MAPOPTVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return MAP_OPTION;
}
{FSOPTS} {
BEGIN(FSOPTVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return FS_OPTION;
}
{MNTOPT} {
BEGIN(MNTOPTVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return MNT_OPTION;
}
{SELOPT} {
BEGIN(SELOPTVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SELECTOR;
}
@@ -152,13 +153,13 @@ CUTSEP (\|\||\/)
{SEL1ARG} {
BEGIN(SELARGVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SELECTOR;
}
{SEL2ARG} {
BEGIN(SELARGVAL);
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SELECTOR;
}
@@ -171,7 +172,7 @@ CUTSEP (\|\||\/)
#.* { return COMMENT; }
{OTHR} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return OTHER;
}
}
@@ -201,22 +202,22 @@ CUTSEP (\|\||\/)
":=" { return OPTION_ASSIGN; }
{FSTYPE} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return FS_TYPE;
}
{MAPTYPE} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return MAP_TYPE;
}
{CHEOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return CACHE_OPTION;
}
{FOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return FS_OPT_VALUE;
}
}
@@ -246,7 +247,7 @@ CUTSEP (\|\||\/)
":=" { return OPTION_ASSIGN; }
{FOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return FS_OPT_VALUE;
}
}
@@ -278,7 +279,7 @@ CUTSEP (\|\||\/)
"," { return COMMA; }
{OPTS} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return OPTION;
}
}
@@ -310,7 +311,7 @@ CUTSEP (\|\||\/)
"!=" { return NOT_EQUAL; }
{SOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SELECTOR_VALUE;
}
}
@@ -335,24 +336,24 @@ CUTSEP (\|\||\/)
"(" { return LBRACKET; }
{NOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SEL_ARG_VALUE;
}
{SOPT}/"," {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SEL_ARG_VALUE;
}
"," { return COMMA; }
{SOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SEL_ARG_VALUE;
}
{FOPT} {
- strcpy(amd_lval.strtype, amd_text);
+ amd_copy_buffer();
return SEL_ARG_VALUE;
}
@@ -368,6 +369,18 @@ int amd_wrap(void)
return 1;
}
+static void amd_copy_buffer(void)
+{
+ if (amd_leng < 2048)
+ strcpy(amd_lval.strtype, amd_text);
+ else {
+ strncpy(amd_lval.strtype, amd_text, 2047);
+ amd_lval.strtype[2047] = '\0';
+ logmsg("warning: truncated option near %s\n",
+ &amd_lval.strtype[2030]);
+ }
+}
+
static void amd_echo(void)
{
logmsg("%s\n", amd_text);
Reference in New Issue View Git Blame Copy Permalink