From 61b5fd6f32e9ccb612df1354a3e3b3bed5f2b808 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Aug 1998 03:11:42 +0000 Subject: bounds check next_token() to prevent possible buffer overflows (This used to be commit 3eade55dc7c842bdc50205c330802d211fae54d3) --- source3/lib/interface.c | 2 +- source3/lib/username.c | 2 +- source3/lib/util.c | 26 +++++++++++++++----------- 3 files changed, 17 insertions(+), 13 deletions(-) (limited to 'source3/lib') diff --git a/source3/lib/interface.c b/source3/lib/interface.c index 8cc5cfb0b1..581a2135bd 100644 --- a/source3/lib/interface.c +++ b/source3/lib/interface.c @@ -136,7 +136,7 @@ static void interpret_interfaces(char *s, struct interface **interfaces, allones_ip = *interpret_addr2("255.255.255.255"); loopback_ip = *interpret_addr2("127.0.0.1"); - while (next_token(&ptr,token,NULL)) { + while (next_token(&ptr,token,NULL,sizeof(token))) { /* parse it into an IP address/netmasklength pair */ char *p = strchr(token,'/'); if (p) *p++ = 0; diff --git a/source3/lib/username.c b/source3/lib/username.c index a9d391f11a..f56f7efce2 100644 --- a/source3/lib/username.c +++ b/source3/lib/username.c @@ -297,7 +297,7 @@ BOOL user_in_list(char *user,char *list) pstring tok; char *p=list; - while (next_token(&p,tok,LIST_SEP)) + while (next_token(&p,tok,LIST_SEP, sizeof(tok))) { /* * Check raw username. diff --git a/source3/lib/util.c b/source3/lib/util.c index 5b8428b546..a52228c997 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -131,10 +131,11 @@ static char *last_ptr=NULL; Based on a routine by GJC@VILLAGE.COM. Extensively modified by Andrew.Tridgell@anu.edu.au ****************************************************************************/ -BOOL next_token(char **ptr,char *buff,char *sep) +BOOL next_token(char **ptr,char *buff,char *sep, int bufsize) { char *s; BOOL quoted; + int len=1; if (!ptr) ptr = &last_ptr; if (!ptr) return(False); @@ -151,12 +152,14 @@ BOOL next_token(char **ptr,char *buff,char *sep) if (! *s) return(False); /* copy over the token */ - for (quoted = False; *s && (quoted || !strchr(sep,*s)); s++) + for (quoted = False; len < bufsize && *s && (quoted || !strchr(sep,*s)); s++) { - if (*s == '\"') - quoted = !quoted; - else - *buff++ = *s; + if (*s == '\"') { + quoted = !quoted; + } else { + len++; + *buff++ = *s; + } } *ptr = (*s) ? s+1 : s; @@ -291,7 +294,7 @@ void set_socket_options(int fd, char *options) { fstring tok; - while (next_token(&options,tok," \t,")) + while (next_token(&options,tok," \t,", sizeof(tok))) { int ret=0,i; int value = 1; @@ -2618,7 +2621,7 @@ BOOL in_list(char *s,char *list,BOOL casesensitive) if (!list) return(False); - while (next_token(&p,tok,LIST_SEP)) + while (next_token(&p,tok,LIST_SEP,sizeof(tok))) { if (casesensitive) { if (strcmp(tok,s) == 0) @@ -5085,7 +5088,7 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) } p += 2; - if(!next_token(&p, tok, "-")) { + if(!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); return False; } @@ -5093,7 +5096,7 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) /* Get the revision number. */ sidout->sid_rev_num = atoi(tok); - if(!next_token(&p, tok, "-")) { + if(!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); return False; } @@ -5111,7 +5114,8 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) sidout->num_auths = 0; - while(next_token(&p, tok, "-") && sidout->num_auths < MAXSUBAUTHS) { + while(next_token(&p, tok, "-", sizeof(tok)) && + sidout->num_auths < MAXSUBAUTHS) { /* * NOTE - the subauths are in native machine-endian format. They * are converted to little-endian when linearized onto the wire. -- cgit