[Bug 529416] New: Tokenizer in autofs broken
http://bugzilla.novell.com/show_bug.cgi?id=529416 Summary: Tokenizer in autofs broken Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: pjb1008@cam.ac.uk QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.14) Gecko/20080410 SUSE/2.0.0.14-0.1 Firefox/2.0.0.14 The tokenizer (master_tok.l) uses a mixture of string and memory options in an unsafe way. As a result, entries can be corrupt when read if a string token follows a non-string token. Reproducible: Always Steps to Reproduce: Create a map containing a string token: /auto /etc/auto.auto ro,hard,intr,nosuid,nodev /home /etc/auto.home rw,hard,intr,nosuid,nodev /profile /etc/auto.profile rw,hard,intr,nosuid,nodev Actual Results: /etc/auto.auto and /etc/auto.home load as expected. /etc/auto.profile is read as /etc/auto.proefil If you miss out the auto.home map, /etc/auto.profile is read as /etc/auto.proofile. There is the potential for a buffer overrun causing the automounter to crash. Expected Results: Expected results are the the line is read as /etc/auto.profile. In the definition of <MAPSTR> in master_tok.l, there is the following code: {MULTI} { tlen = master_leng - 1; if (bptr != buff && isblank(master_text[tlen])) { strncat(buff, master_text, tlen); bptr += tlen; yyless(tlen); } else { strcpy(master_lval.strtype, master_text); return(MULTITYPE); } } and later in the same block: . { *bptr++ = *master_text; } When parsing /etc/auto.profile, the parser reads a sequence of characters into the end of buff: /,e,t,c,/,a,u,t,o,.,p,r,o. Then it reads 'file', as a single string token, concatenating it to the end of buff. buff is not NUL terminated. buff still contains data from the line above, so the string is copied to the end of that string. The number of characters written, bptr-buff, is maintained correctly, so the resulting string is truncated to the right number of characters. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=529416
User pjb1008@cam.ac.uk added comment
http://bugzilla.novell.com/show_bug.cgi?id=529416#c1
--- Comment #1 from Peter Benie
http://bugzilla.novell.com/show_bug.cgi?id=529416
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=529416
http://bugzilla.novell.com/show_bug.cgi?id=529416#c
Hendrik Vogelsang
http://bugzilla.novell.com/show_bug.cgi?id=529416
http://bugzilla.novell.com/show_bug.cgi?id=529416#c
Jiri Kosina
http://bugzilla.novell.com/show_bug.cgi?id=529416
http://bugzilla.novell.com/show_bug.cgi?id=529416#c2
Miklos Szeredi
participants (1)
-
bugzilla_noreply@novell.com