cron: bounds check the high and low bounds for in a random range.

The bounds are checked for normal ranges in set_element() but in
the case of random ranges this is too late.  As a result, a random
range with an invalid high/low bounds would only result in a syntax
error if the randomized value was out of bounds.  This means the
entry would be "randomly" rejected by cron or crontab.  OK kn@

diff --git a/usr.sbin/cron/entry.c b/usr.sbin/cron/entry.c
index 0d7a852..c3f04b1 100644 (file)
--- a/usr.sbin/cron/entry.c
+++ b/usr.sbin/cron/entry.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: entry.c,v 1.55 2023/05/07 13:43:13 millert Exp $      */
+/*     $OpenBSD: entry.c,v 1.56 2023/05/08 15:18:31 millert Exp $      */
 
 /*
  * Copyright 1988,1990,1993,1994 by Paul Vixie
@@ -513,6 +513,11 @@ get_range(bitstr_t *bits, int low, int high, const char *names[],
                                return (EOF);
                        }
 
+                       /* we must perform the bounds checking ourselves
+                        */
+                       if (num1 < low || num2 > high)
+                               return (EOF);
+
                        if (ch == '/') {
                                /* randomize the step value instead of num1
                                 */