diff options
| author | Petr Písař <ppisar@redhat.com> | 2018-02-05 10:31:47 +0100 |
|---|---|---|
| committer | Jan Kara <jack@suse.cz> | 2018-02-05 16:44:12 +0100 |
| commit | 338a07c9de2f5a86c7e030bde7fc2f3d9583c4dc (patch) | |
| tree | f99dec52e1c9c963ada2711585c1321f3392f876 | |
| parent | abbb2d17a3478e64173334ddb27f3d0a0f0372f9 (diff) | |
warnquota: Check snprintf() for overflows
GCC 8 with GNU libc 2.27 prerelease warns:
gcc -DHAVE_CONFIG_H -I. -g -O2 -Wall -fPIC -I/usr/include/tirpc -c -o warnquota.o warnquota.c
warnquota.c: In function ‘lookup_user’:
warnquota.c:415:29: warning: ‘%s’ directive output may be truncated writing up to 2047 bytes into a region of size 255 [-Wformat-truncation=]
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~
warnquota.c:415:2: note: ‘snprintf’ output 4 or more bytes (assuming 2051) into a destination of size 256
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
warnquota.c: In function ‘warn_quota’:
warnquota.c:896:51: warning: ‘%s’ directive output may be truncated writing up to 2047 bytes into a region of size 2041 [-Wformat-truncation=]
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~ ~~~~~~~~~~~~~~~~~
warnquota.c:896:4: note: ‘snprintf’ output between 10 and 2067 bytes into a destination of size 2048
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is patch fixes it by catching the cases when snprintf() truncates and
reporting an error.
Perfect fix would fall back into dynamically allocated buffers but
I think that would make these corner case too complicated provided
nobody had yet complained about them.
Signed-off-by: Petr Písař <ppisar@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
| -rw-r--r-- | warnquota.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/warnquota.c b/warnquota.c index 073c45e..bc11055 100644 --- a/warnquota.c +++ b/warnquota.c @@ -412,7 +412,13 @@ static char *lookup_user(struct configparams *config, char *user) } /* search for the offender_name in ldap */ - snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user); + if (256 <= snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, + user)) { + errstr(_("Could not format LDAP search filter for %s user and " + "%s search attribute due to excessive length.\n"), + user, config->ldap_search_attr); + return NULL; + } ret = ldap_search_ext_s(ldapconn, config->ldap_basedn, LDAP_SCOPE_SUBTREE, searchbuf, NULL, 0, NULL, NULL, NULL, @@ -893,7 +899,14 @@ cc_parse_err: if (config->use_ldap_mail) { if (!config->ldap_uri[0]) { - snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port); + if (CNF_BUFFER <= snprintf(config->ldap_uri, CNF_BUFFER, + "ldap://%s:%d", config->ldap_host, + config->ldap_port)) { + errstr(_("Could not format LDAP URI because " + "it's longer than %d bytes.\n"), + CNF_BUFFER); + return -1; + } errstr(_("LDAP library version >= 2.3 detected. Please use LDAP_URI instead of hostname and port.\nGenerated URI %s\n"), config->ldap_uri); } } |