From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 6 Mar 2012 11:38:37 +0000 (+0100)
Subject: Check expansion in cf_expand_variables
X-Git-Tag: release_3_0_0_beta0~263
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0acdbc8e350932fb602c559d42e196e09e177a18;p=thirdparty%2Ffreeradius-server.git

Check expansion in cf_expand_variables

Closes Debian bug #662194
---

diff --git a/src/main/conffile.c b/src/main/conffile.c
index 48960cd86c3..b25d9e242c0 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -805,6 +805,13 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 				       cf, *lineno, input);
 				return NULL;
 			}
+
+			if (p + strlen(cp->value) >= output + outsize) {
+				radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+				       cf, *lineno, input);
+				return NULL;
+			}
+
 			strcpy(p, cp->value);
 			p += strlen(p);
 			ptr = end + 1;
@@ -850,6 +857,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 				env = name;
 			}
 
+			if (p + strlen(env) >= output + outsize) {
+				radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+				       cf, *lineno, input);
+				return NULL;
+			}
+
 			strcpy(p, env);
 			p += strlen(p);
 			ptr = end + 1;
@@ -861,7 +874,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 			*(p++) = *(ptr++);
 		}
 
-		if ((p - output) > outsize) return NULL;		
+
+		if (p >= (output + outsize)) {
+			radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+			       cf, *lineno, input);
+			return NULL;
+		}
 	} /* loop over all of the input string. */
 
 	*p = '\0';