From d82c1c7a66af88ec0b00e5c990ebb272394298d4 Mon Sep 17 00:00:00 2001
From: Eric Bollengier <eric@baculasystems.com>
Date: Sun, 18 Oct 2015 11:20:44 +0200
Subject: [PATCH] Do some sanity checks on user inputs

---
 bacula/src/dird/ua_dotcmds.c | 20 ++++++++++++++------
 bacula/src/dird/ua_prune.c   |  4 +++-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/bacula/src/dird/ua_dotcmds.c b/bacula/src/dird/ua_dotcmds.c
index 4aeadfbc2a..5ea53ca123 100644
--- a/bacula/src/dird/ua_dotcmds.c
+++ b/bacula/src/dird/ua_dotcmds.c
@@ -905,20 +905,28 @@ static bool dot_bvfs_get_jobs(UAContext *ua, const char *cmd)
       return true;
    }
 
-   if ((pos = find_arg_with_value(ua, "client")) < 0) {
+   if (((pos = find_arg_with_value(ua, "client")) < 0) ||
+       (strlen(ua->argv[pos]) > MAX_NAME_LENGTH))
+   {
       return true;
    }
 
-   posj = find_arg_with_value(ua, "ujobid");
-
    if (!acl_access_ok(ua, Client_ACL, ua->argv[pos])) {
       return true;
    }
-   
+
+   posj = find_arg_with_value(ua, "ujobid");
+   /* Do a little check on the size of the argument */
+   if (posj >= 0 && strlen(ua->argv[posj]) > MAX_NAME_LENGTH) {
+      return true;
+   }
+
    db_lock(ua->db);
-   db_escape_string(ua->jcr, ua->db, esc_cli, ua->argv[pos], sizeof(esc_cli));
+   db_escape_string(ua->jcr, ua->db, esc_cli,
+                    ua->argv[pos], strlen(ua->argv[pos]));
    if (posj >= 0) {
-      db_escape_string(ua->jcr, ua->db, esc_job, ua->argv[posj], sizeof(esc_job));
+      db_escape_string(ua->jcr, ua->db, esc_job,
+                       ua->argv[posj], strlen(ua->argv[pos]));
       Mmsg(tmp, "AND Job.Job = '%s'", esc_job);
    }
    Mmsg(ua->db->cmd,
diff --git a/bacula/src/dird/ua_prune.c b/bacula/src/dird/ua_prune.c
index f83b8310fe..e0a775a463 100644
--- a/bacula/src/dird/ua_prune.c
+++ b/bacula/src/dird/ua_prune.c
@@ -652,7 +652,9 @@ static bool prune_expired_volumes(UAContext *ua)
    }
 
    /* We can restrict by MediaType */
-   if ((i = find_arg_with_value(ua, "mediatype")) >= 0) {
+   if (((i = find_arg_with_value(ua, "mediatype")) >= 0) &&
+       (strlen(ua->argv[i]) <= MAX_NAME_LENGTH))
+   {
       char ed1[MAX_ESCAPE_NAME_LENGTH];
       db_escape_string(ua->jcr, ua->db, ed1,
          ua->argv[i], strlen(ua->argv[i]));
-- 
2.39.5