From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 19 Nov 2012 15:36:38 +0000 (+0100)
Subject: core/load-fragment: fix (potential) bad memory access
X-Git-Tag: v196~29
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=ac97e2c559f5d386a332aba4a24bf9930cdb1c51

core/load-fragment: fix (potential) bad memory access

strncmp() could be used with size bigger then the size of the string,
because MAX was used instead of MIN.

If failing, print just the offending mount flag.
---

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 01f94844a..6933e1a21 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -1101,15 +1101,22 @@ int config_parse_exec_mount_flags(
         assert(rvalue);
         assert(data);
 
-        FOREACH_WORD_QUOTED(w, l, rvalue, state) {
-                if (strncmp(w, "shared", MAX(l, 6U)) == 0)
+        FOREACH_WORD_SEPARATOR(w, l, rvalue, ", ", state) {
+                char _cleanup_free_ *t;
+
+                t = strndup(w, l);
+                if (!t)
+                        return -ENOMEM;
+
+                if (streq(t, "shared"))
                         flags |= MS_SHARED;
-                else if (strncmp(w, "slave", MAX(l, 5U)) == 0)
+                else if (streq(t, "slave"))
                         flags |= MS_SLAVE;
-                else if (strncmp(w, "private", MAX(l, 7U)) == 0)
+                else if (streq(w, "private"))
                         flags |= MS_PRIVATE;
                 else {
-                        log_error("[%s:%u] Failed to parse mount flags, ignoring: %s", filename, line, rvalue);
+                        log_error("[%s:%u] Failed to parse mount flag %s, ignoring: %s",
+                                  filename, line, t, rvalue);
                         return 0;
                 }
         }