Blame SOURCES/autofs-5.1.8-fix-use-after-free-in-tree_mapent_delete_offset_tree.patch

229406
autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()
229406
229406
From: Ian Kent <raven@themaw.net>
229406
229406
The key field of the map entry of the root of the map entry tree to be
229406
deleted can't be used for the key parameter, fix it.
229406
229406
Signed-off-by: Ian Kent <raven@themaw.net>
229406
---
229406
 CHANGELOG    |    1 +
229406
 lib/mounts.c |   16 +++++++++++++---
229406
 2 files changed, 14 insertions(+), 3 deletions(-)
229406
229406
--- autofs-5.1.4.orig/CHANGELOG
229406
+++ autofs-5.1.4/CHANGELOG
229406
@@ -88,6 +88,7 @@
229406
 - dont fail on duplicate offset entry tree add.
229406
 - fix loop under run in cache_get_offset_parent().
229406
 - simplify cache_add() a little.
229406
+- fix use after free in tree_mapent_delete_offset_tree().
229406
 
229406
 xx/xx/2018 autofs-5.1.5
229406
 - fix flag file permission.
229406
--- autofs-5.1.4.orig/lib/mounts.c
229406
+++ autofs-5.1.4/lib/mounts.c
229406
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre
229406
 	 */
229406
 	if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
229406
 		struct tree_node *root = MAPENT_ROOT(me);
229406
+		char *key;
229406
 
229406
-		debug(logopt, "deleting offset key %s", me->key);
229406
+		key = strdup(me->key);
229406
+		if (!key) {
229406
+			char buf[MAX_ERR_BUF];
229406
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
229406
+			error(logopt, "strdup: %s", estr);
229406
+			return 0;
229406
+		}
229406
+
229406
+		debug(logopt, "deleting offset key %s", key);
229406
 
229406
 		/* cache_delete won't delete an active offset */
229406
 		MAPENT_SET_ROOT(me, NULL);
229406
-		ret = cache_delete(me->mc, me->key);
229406
+		ret = cache_delete(me->mc, key);
229406
 		if (ret != CHE_OK) {
229406
 			MAPENT_SET_ROOT(me, root);
229406
-			warn(logopt, "failed to delete offset %s", me->key);
229406
+			warn(logopt, "failed to delete offset %s", key);
229406
 		}
229406
+		free(key);
229406
 	} else {
229406
 		MAPENT_SET_ROOT(me, NULL);
229406
 		MAPENT_SET_PARENT(me, NULL);