autofs-5.1.0 - check amd lex buffer len before copy From: Ian Kent Guard against lex to yacc communication buffer overflow. --- CHANGELOG | 1 + modules/amd_tok.l | 49 +++++++++++++++++++++++++++++++------------------ 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 840e099..dfbaeb1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,7 @@ - fix buffer size checks in get_network_proximity(). - fix leak in get_network_proximity(). - fix buffer size checks in merge_options(). +- check amd lex buffer len before copy. 04/06/2014 autofs-5.1.0 ======================= diff --git a/modules/amd_tok.l b/modules/amd_tok.l index 5664f67..1d9c234 100644 --- a/modules/amd_tok.l +++ b/modules/amd_tok.l @@ -22,6 +22,7 @@ # undef ECHO #endif static void amd_echo(void); /* forward definition */ +static void amd_copy_buffer(void); #define ECHO amd_echo() int amd_wrap(void); @@ -125,26 +126,26 @@ CUTSEP (\|\||\/) {MAPOPT} { BEGIN(MAPOPTVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return MAP_OPTION; } {FSOPTS} { BEGIN(FSOPTVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return FS_OPTION; } {MNTOPT} { BEGIN(MNTOPTVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return MNT_OPTION; } {SELOPT} { BEGIN(SELOPTVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SELECTOR; } @@ -152,13 +153,13 @@ CUTSEP (\|\||\/) {SEL1ARG} { BEGIN(SELARGVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SELECTOR; } {SEL2ARG} { BEGIN(SELARGVAL); - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SELECTOR; } @@ -171,7 +172,7 @@ CUTSEP (\|\||\/) #.* { return COMMENT; } {OTHR} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return OTHER; } } @@ -201,22 +202,22 @@ CUTSEP (\|\||\/) ":=" { return OPTION_ASSIGN; } {FSTYPE} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return FS_TYPE; } {MAPTYPE} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return MAP_TYPE; } {CHEOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return CACHE_OPTION; } {FOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return FS_OPT_VALUE; } } @@ -246,7 +247,7 @@ CUTSEP (\|\||\/) ":=" { return OPTION_ASSIGN; } {FOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return FS_OPT_VALUE; } } @@ -278,7 +279,7 @@ CUTSEP (\|\||\/) "," { return COMMA; } {OPTS} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return OPTION; } } @@ -310,7 +311,7 @@ CUTSEP (\|\||\/) "!=" { return NOT_EQUAL; } {SOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SELECTOR_VALUE; } } @@ -335,24 +336,24 @@ CUTSEP (\|\||\/) "(" { return LBRACKET; } {NOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SEL_ARG_VALUE; } {SOPT}/"," { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SEL_ARG_VALUE; } "," { return COMMA; } {SOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SEL_ARG_VALUE; } {FOPT} { - strcpy(amd_lval.strtype, amd_text); + amd_copy_buffer(); return SEL_ARG_VALUE; } @@ -368,6 +369,18 @@ int amd_wrap(void) return 1; } +static void amd_copy_buffer(void) +{ + if (amd_leng < 2048) + strcpy(amd_lval.strtype, amd_text); + else { + strncpy(amd_lval.strtype, amd_text, 2047); + amd_lval.strtype[2047] = '\0'; + logmsg("warning: truncated option near %s\n", + &amd_lval.strtype[2030]); + } +} + static void amd_echo(void) { logmsg("%s\n", amd_text);