From 62dd3466472780062f6f2f2596b83744c474465f Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Fri, 25 Nov 2011 15:22:36 +0100
Subject: [PATCH] Pass sizeof buffer to cf_expand_variables

---
 src/main/conffile.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/main/conffile.c b/src/main/conffile.c
index ab65a5e..e206da1 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -101,7 +101,8 @@ static void *cf_data_find_internal(CONF_SECTION *cs, const char *name,
 				   int flag);
 static const char *cf_expand_variables(const char *cf, int *lineno,
 				       CONF_SECTION *outercs,
-				       char *output, const char *input);
+				       char *output, size_t outsize,
+				       const char *input);
 
 int cf_log_config = 1;
 int cf_log_modules = 1;
@@ -420,7 +421,7 @@ static CONF_SECTION *cf_section_alloc(const char *name1, const char *name2,
 	size_t name1_len, name2_len = 0;
 	char *p;
 	CONF_SECTION	*cs;
-	char buffer[256];
+	char buffer[1024];
 
 	if (!name1) return NULL;
 
@@ -430,7 +431,7 @@ static CONF_SECTION *cf_section_alloc(const char *name1, const char *name2,
 			p = cf_expand_variables(parent->item.filename,
 						&parent->item.lineno,
 						parent,
-						buffer, name2);
+						buffer, sizeof(buffer), name2);
 			if (!p) {
 				radlog(L_ERR, "Failed expanding section name");
 				return NULL;
@@ -730,7 +731,8 @@ CONF_SECTION *cf_top_section(CONF_SECTION *cs)
  */
 static const char *cf_expand_variables(const char *cf, int *lineno,
 				       CONF_SECTION *outercs,
-				       char *output, const char *input)
+				       char *output, size_t outsize,
+				       const char *input)
 {
 	char *p;
 	const char *end, *ptr;
@@ -858,6 +860,8 @@ static const char *cf_expand_variables(const char *cf, int *lineno,
 			 */
 			*(p++) = *(ptr++);
 		}
+
+		if ((p - output) > outsize) return NULL;		
 	} /* loop over all of the input string. */
 
 	*p = '\0';
@@ -957,7 +961,8 @@ int cf_item_parse(CONF_SECTION *cs, const char *name,
 			 */
 			value = cf_expand_variables("<internal>",
 						    &lineno,
-						    cs, buffer, value);
+						    cs, buffer, sizeof(buffer),
+						    value);
 			if (!value) {
 				cf_log_err(cf_sectiontoitem(cs),"Failed expanding variable %s", name);
 				return -1;
@@ -996,7 +1001,8 @@ int cf_item_parse(CONF_SECTION *cs, const char *name,
 			 */
 			value = cf_expand_variables("?",
 						    &lineno,
-						    cs, buffer, value);
+						    cs, buffer, sizeof(buffer),
+						    value);
 			if (!value) return -1;
 		}
 
@@ -1445,7 +1451,7 @@ static int cf_section_read(const char *filename, int *lineno, FILE *fp,
 
 			if (buf2[0] == '$') relative = 0;
 
-			value = cf_expand_variables(filename, lineno, this, buf, buf2);
+			value = cf_expand_variables(filename, lineno, this, buf, sizeof(buf), buf2);
 			if (!value) return -1;
 
 			if (!FR_DIR_IS_RELATIVE(value)) relative = 0;
@@ -1630,7 +1636,7 @@ static int cf_section_read(const char *filename, int *lineno, FILE *fp,
 			if ((t3 == T_BARE_WORD) ||
 			    (t3 == T_DOUBLE_QUOTED_STRING)) {
 				value = cf_expand_variables(filename, lineno, this,
-							    buf, buf3);
+							    buf, sizeof(buf), buf3);
 				if (!value) return -1;
 			} else if ((t3 == T_EOL) ||
 				   (t3 == T_HASH)) {
-- 
2.1.4