autofs-5.1.0 - check options length before use in parse_amd.c

From: Ian Kent <ikent@redhat.com>

Check for temporary buffer overflow before copy at several places in
modules/parse_amd.c.
---
 CHANGELOG           |    1 +
 modules/parse_amd.c |   36 ++++++++++++++++++++++++++++++++----
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 20290fc..81aadca 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -16,6 +16,7 @@
 - check amd lex buffer len before copy.
 - add return check in ldap check_map_indirect().
 - check host macro is set before use.
+- check options length before use in parse_amd.c.
 
 04/06/2014 autofs-5.1.0
 =======================
diff --git a/modules/parse_amd.c b/modules/parse_amd.c
index 25fe4aa..6764152 100644
--- a/modules/parse_amd.c
+++ b/modules/parse_amd.c
@@ -906,9 +906,20 @@ static int do_auto_mount(struct autofs_point *ap, const char *name,
 {
 	char target[PATH_MAX + 1];
 
-	if (!entry->map_type)
+	if (!entry->map_type) {
+		if (strlen(entry->fs) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->fs);
-	else {
+	} else {
+		if (strlen(entry->fs) +
+		    strlen(entry->map_type) + 5 > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs + maptype options length is too long");
+			return 0;
+		}
 		strcpy(target, entry->map_type);
 		strcat(target, ",amd:");
 		strcat(target, entry->fs);
@@ -925,10 +936,21 @@ static int do_link_mount(struct autofs_point *ap, const char *name,
 	const char *opts = (entry->opts && *entry->opts) ? entry->opts : NULL;
 	int ret;
 
-	if (entry->sublink)
+	if (entry->sublink) {
+		if (strlen(entry->sublink) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: sublink option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->sublink);
-	else
+	} else {
+		if (strlen(entry->fs) > PATH_MAX) {
+			error(ap->logopt, MODPREFIX
+			     "error: fs option length is too long");
+			return 0;
+		}
 		strcpy(target, entry->fs);
+	}
 
 	if (!(flags & CONF_AUTOFS_USE_LOFS))
 		goto symlink;
@@ -1017,6 +1039,12 @@ static int do_nfs_mount(struct autofs_point *ap, const char *name,
 	unsigned int umount = 0;
 	int ret = 0;
 
+	if (strlen(entry->rhost) + strlen(entry->rfs) + 1 > PATH_MAX) {
+		error(ap->logopt, MODPREFIX
+		     "error: rhost + rfs options length is too long");
+		return 0;
+	}
+
 	strcpy(target, entry->rhost);
 	strcat(target, ":");
 	strcat(target, entry->rfs);