Blame SOURCES/autofs-5.1.8-fix-use-after-free-in-tree_mapent_delete_offset_tree.patch

b07c2e
autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()
b07c2e
b07c2e
From: Ian Kent <raven@themaw.net>
b07c2e
b07c2e
The key field of the map entry of the root of the map entry tree to be
b07c2e
deleted can't be used for the key parameter, fix it.
b07c2e
b07c2e
Signed-off-by: Ian Kent <raven@themaw.net>
b07c2e
---
b07c2e
 CHANGELOG    |    1 +
b07c2e
 lib/mounts.c |   16 +++++++++++++---
b07c2e
 2 files changed, 14 insertions(+), 3 deletions(-)
b07c2e
b07c2e
--- autofs-5.1.4.orig/CHANGELOG
b07c2e
+++ autofs-5.1.4/CHANGELOG
b07c2e
@@ -88,6 +88,7 @@
b07c2e
 - dont fail on duplicate offset entry tree add.
b07c2e
 - fix loop under run in cache_get_offset_parent().
b07c2e
 - simplify cache_add() a little.
b07c2e
+- fix use after free in tree_mapent_delete_offset_tree().
b07c2e
 
b07c2e
 xx/xx/2018 autofs-5.1.5
b07c2e
 - fix flag file permission.
b07c2e
--- autofs-5.1.4.orig/lib/mounts.c
b07c2e
+++ autofs-5.1.4/lib/mounts.c
b07c2e
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre
b07c2e
 	 */
b07c2e
 	if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
b07c2e
 		struct tree_node *root = MAPENT_ROOT(me);
b07c2e
+		char *key;
b07c2e
 
b07c2e
-		debug(logopt, "deleting offset key %s", me->key);
b07c2e
+		key = strdup(me->key);
b07c2e
+		if (!key) {
b07c2e
+			char buf[MAX_ERR_BUF];
b07c2e
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
b07c2e
+			error(logopt, "strdup: %s", estr);
b07c2e
+			return 0;
b07c2e
+		}
b07c2e
+
b07c2e
+		debug(logopt, "deleting offset key %s", key);
b07c2e
 
b07c2e
 		/* cache_delete won't delete an active offset */
b07c2e
 		MAPENT_SET_ROOT(me, NULL);
b07c2e
-		ret = cache_delete(me->mc, me->key);
b07c2e
+		ret = cache_delete(me->mc, key);
b07c2e
 		if (ret != CHE_OK) {
b07c2e
 			MAPENT_SET_ROOT(me, root);
b07c2e
-			warn(logopt, "failed to delete offset %s", me->key);
b07c2e
+			warn(logopt, "failed to delete offset %s", key);
b07c2e
 		}
b07c2e
+		free(key);
b07c2e
 	} else {
b07c2e
 		MAPENT_SET_ROOT(me, NULL);
b07c2e
 		MAPENT_SET_PARENT(me, NULL);