Blob Blame Raw
From eeef53917864600e0f5ac42ce5c3d884967012a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 5 Feb 2018 10:31:47 +0100
Subject: [PATCH 1/2] warnquota: Check snprintf() for overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GCC 8 with GNU libc 2.27 prerelease warns:

gcc -DHAVE_CONFIG_H -I.     -g -O2 -Wall -fPIC -I/usr/include/tirpc  -c -o warnquota.o warnquota.c
warnquota.c: In function ‘lookup_user’:
warnquota.c:415:29: warning: ‘%s’ directive output may be truncated writing up to 2047 bytes into a region of size 255 [-Wformat-truncation=]
  snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
                             ^~
warnquota.c:415:2: note: ‘snprintf’ output 4 or more bytes (assuming 2051) into a destination of size 256
  snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
warnquota.c: In function ‘warn_quota’:
warnquota.c:896:51: warning: ‘%s’ directive output may be truncated writing up to 2047 bytes into a region of size 2041 [-Wformat-truncation=]
    snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
                                                   ^~      ~~~~~~~~~~~~~~~~~
warnquota.c:896:4: note: ‘snprintf’ output between 10 and 2067 bytes into a destination of size 2048
    snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is patch fixes it by catching the cases when snprintf() truncates and
reporting an error.

Perfect fix would fall back into dynamically allocated buffers but
I think that would make these corner case too complicated provided
nobody had yet complained about them.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 warnquota.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/warnquota.c b/warnquota.c
index 073c45e..bc11055 100644
--- a/warnquota.c
+++ b/warnquota.c
@@ -412,7 +412,13 @@ static char *lookup_user(struct configparams *config, char *user)
 	}
 
 	/* search for the offender_name in ldap */
-	snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
+	if (256 <= snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr,
+		    user)) {
+		errstr(_("Could not format LDAP search filter for %s user and "
+			"%s search attribute due to excessive length.\n"),
+			user, config->ldap_search_attr);
+		return NULL;
+	}
 	ret = ldap_search_ext_s(ldapconn,
 		config->ldap_basedn, LDAP_SCOPE_SUBTREE,
 		searchbuf, NULL, 0, NULL, NULL, NULL,
@@ -893,7 +899,14 @@ cc_parse_err:
 	if (config->use_ldap_mail)
 	{
 		if (!config->ldap_uri[0]) {
-			snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
+			if (CNF_BUFFER <= snprintf(config->ldap_uri, CNF_BUFFER,
+				    "ldap://%s:%d", config->ldap_host,
+				    config->ldap_port)) {
+				errstr(_("Could not format LDAP URI because "
+					    "it's longer than %d bytes.\n"),
+					    CNF_BUFFER);
+				return -1;
+			}
 			errstr(_("LDAP library version >= 2.3 detected. Please use LDAP_URI instead of hostname and port.\nGenerated URI %s\n"), config->ldap_uri);
 		}
 	}
-- 
2.13.6