From d6a69bc554bff36918900c3de1821d1e05a840ab Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 27 Jul 2016 17:15:43 +0200
Subject: [PATCH] auth: Don't include bind files if length < 2 or >
 sizeof(filename)

---
 pdns/bindlexer.l | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/pdns/bindlexer.l b/pdns/bindlexer.l
index 4a47e7a2d..8003a2740 100644
--- a/pdns/bindlexer.l
+++ b/pdns/bindlexer.l
@@ -44,25 +44,43 @@ include                 BEGIN(incl);
 	char filename[1024];
         if ( include_stack_ptr >= MAX_INCLUDE_DEPTH )
             {
-            fprintf( stderr, "Includes nested too deeply" );
+            fprintf( stderr, "Includes nested too deeply\n" );
             exit( 1 );
             }
 
+        if (strlen(yytext) <= 2) {
+            fprintf( stderr, "Empty include directive\n" );
+            exit( 1 );
+        }
+
         yytext[strlen(yytext)-2]=0;
 
         include_stack[include_stack_ptr]=YY_CURRENT_BUFFER;
         include_stack_name[include_stack_ptr]=current_filename=strdup(yytext+1);
         include_stack_ln[include_stack_ptr++]=linenumber;
         linenumber=1;
-	if(*(yytext+1)=='/')
+
+	if(*(yytext+1)=='/') {
+                if (strlen(yytext+1) >= sizeof(filename)) {
+		  fprintf( stderr, "Filename '%s' is too long\n",yytext+1);
+		  exit( 1 );
+		}
 		strcpy(filename,yytext+1);
+	}
 	else {
+		size_t bind_directory_len = strlen(bind_directory);
+		if (bind_directory_len >= sizeof(filename) ||
+		    strlen(yytext+1) + 2 >= sizeof(filename) - bind_directory_len) {
+		  fprintf( stderr, "Filename '%s' is too long\n",yytext+1);
+		  exit( 1 );
+		}
 		strcpy(filename,bind_directory);
 		strcat(filename,"/");
 		strcat(filename,yytext+1);
 	}
+	filename[sizeof(filename)-1]='\0';
 
-        if (*yytext &&!(yyin=fopen(filename,"r"))) {
+	if (!(yyin=fopen(filename,"r"))) {
 	  fprintf( stderr, "Unable to open '%s': %s\n",filename,strerror(errno));
 	  exit( 1 );
 	}
-- 
2.40.0