Do some bounds checking to insure that the extension doesn't overrun

our mangled filename buffer.

Reported by:	Thomas Kaiser <Thomas.Kaiser@phg-online.de>
Pointy hat to:	me

diff --git a/etc/afpd/mangle.c b/etc/afpd/mangle.c
index 9b3e324f3e74989ee34181d58c29c5990dcebb88..adcea173b8c7544cf91077458a44c2dc8eada97d 100644 (file)
--- a/etc/afpd/mangle.c
+++ b/etc/afpd/mangle.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: mangle.c,v 1.7 2002-06-09 07:15:44 jmarcus Exp $ 
+ * $Id: mangle.c,v 1.8 2002-07-04 18:14:38 jmarcus Exp $ 
  *
  * Copyright (c) 2002. Joe Marcus Clarke (marcus@marcuscom.com)
  * All Rights Reserved.  See COPYRIGHT.
@@ -67,6 +67,10 @@ mangle(const struct vol *vol, char *filename) {
     /* First, attmept to locate a file extension. */
     if ((ext = strrchr(filename, '.')) != NULL) {
        ext_len = strlen(ext);
+       if (ext_len > MAX_EXT_LENGTH) {
+           /* Do some bounds checking to prevent an extension overflow. */
+           ext_len = MAX_EXT_LENGTH;
+       }
     }
 
     /* Check to see if we already have a mangled filename by this name. */
@@ -80,7 +84,7 @@ mangle(const struct vol *vol, char *filename) {
        strcat(m, mangle_suffix);
 
        if (ext) {
-               strcat(m, ext);
+               strncat(m, ext, ext_len);
        }
 
        tf = cnid_mangle_get(vol->v_db, m);

diff --git a/etc/afpd/mangle.h b/etc/afpd/mangle.h
index 6010c442a54aabb22161ffd047e30966ac994044..55b8d88dc3fb9126093ad18c80bd7a53f36ca4d1 100644 (file)
--- a/etc/afpd/mangle.h
+++ b/etc/afpd/mangle.h
@@ -1,5 +1,5 @@
 /*
- * $Id: mangle.h,v 1.1 2002-05-29 18:02:59 jmarcus Exp $
+ * $Id: mangle.h,v 1.2 2002-07-04 18:14:38 jmarcus Exp $
  *
  */
 
@@ -21,6 +21,7 @@
 #define MANGLE_CHAR "~"
 #define MANGLE_LENGTH 3 /* XXX This really can't be changed. */
 #define MAX_MANGLE_SUFFIX_LENGTH 999
+#define MAX_EXT_LENGTH 4 /* XXX This cannot be greater than 27 */
 #define MAX_LENGTH 31
 
 extern char *mangle __P((const struct vol *, char *));