From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 6 Mar 2012 11:38:37 +0000 (+0100)
Subject: Check expansion in cf_expand_variables
X-Git-Tag: release_2_2_0~154
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=516dbaabf0ea80d0ff0643dc2ae9a10c4d31494c;p=thirdparty%2Ffreeradius-server.git

Check expansion in cf_expand_variables

Closes Debian bug #662194
---

diff --git a/src/main/conffile.c b/src/main/conffile.c
index 0da828a1746..d424f5ff6a7 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -774,6 +774,13 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 				       cf, *lineno, input);
 				return NULL;
 			}
+
+			if (p + strlen(cp->value) >= output + outsize) {
+				radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+				       cf, *lineno, input);
+				return NULL;
+			}
+
 			strcpy(p, cp->value);
 			p += strlen(p);
 			ptr = end + 1;
@@ -819,6 +826,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 				env = name;
 			}
 
+			if (p + strlen(env) >= output + outsize) {
+				radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+				       cf, *lineno, input);
+				return NULL;
+			}
+
 			strcpy(p, env);
 			p += strlen(p);
 			ptr = end + 1;
@@ -829,6 +842,12 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 			 */
 			*(p++) = *(ptr++);
 		}
+
+		if (p >= (output + outsize)) {
+			radlog(L_ERR, "%s[%d]: Reference \"%s\" is too long",
+			       cf, *lineno, input);
+			return NULL;
+		}
 	} /* loop over all of the input string. */
 
 	*p = '\0';