Check expansion in cf_expand_variables

Closes Debian bug #662194

diff --git a/src/main/conffile.c b/src/main/conffile.c
index 0da828a174691718bd527af26bed082da7fdfbe0..d424f5ff6a7eac77a87a1324e23309037ade266c 100644 (file)
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -774,6 +774,13 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
                                       cf, *lineno, input);
                                return NULL;
                        }
+
+                       if (p + strlen(cp->value) >= output + outsize) {
+                               radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+                                      cf, *lineno, input);
+                               return NULL;
+                       }
+
                        strcpy(p, cp->value);
                        p += strlen(p);
                        ptr = end + 1;
@@ -819,6 +826,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
                                env = name;
                        }
 
+                       if (p + strlen(env) >= output + outsize) {
+                               radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+                                      cf, *lineno, input);
+                               return NULL;
+                       }
+
                        strcpy(p, env);
                        p += strlen(p);
                        ptr = end + 1;
@@ -829,6 +842,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
                         */
                        *(p++) = *(ptr++);
                }
+
+               if (p >= (output + outsize)) {
+                       radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+                              cf, *lineno, input);
+                       return NULL;
+               }
        } /* loop over all of the input string. */
 
        *p = '\0';