core/load-fragment: fix (potential) bad memory access

strncmp() could be used with size bigger then the size of the string, because MAX was used instead of MIN. If failing, print just the offending mount flag.
2012-11-19 16:36:38 +01:00 · 2012-11-19 16:36:38 +01:00 · ac97e2c559
parent c040936be2
commit ac97e2c559
1 changed files with 12 additions and 5 deletions
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -1101,15 +1101,22 @@ int config_parse_exec_mount_flags(
        assert(rvalue);
        assert(data);

-        FOREACH_WORD_QUOTED(w, l, rvalue, state) {
-                if (strncmp(w, "shared", MAX(l, 6U)) == 0)
+        FOREACH_WORD_SEPARATOR(w, l, rvalue, ", ", state) {
+                char _cleanup_free_ *t;
+
+                t = strndup(w, l);
+                if (!t)
+                        return -ENOMEM;
+
+                if (streq(t, "shared"))
                        flags |= MS_SHARED;
-                else if (strncmp(w, "slave", MAX(l, 5U)) == 0)
+                else if (streq(t, "slave"))
                        flags |= MS_SLAVE;
-                else if (strncmp(w, "private", MAX(l, 7U)) == 0)
+                else if (streq(w, "private"))
                        flags |= MS_PRIVATE;
                else {
-                        log_error("[%s:%u] Failed to parse mount flags, ignoring: %s", filename, line, rvalue);
+                        log_error("[%s:%u] Failed to parse mount flag %s, ignoring: %s",
+                                  filename, line, t, rvalue);
                        return 0;
                }
        }