|
|
229406 |
autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()
|
|
|
229406 |
|
|
|
229406 |
From: Ian Kent <raven@themaw.net>
|
|
|
229406 |
|
|
|
229406 |
The key field of the map entry of the root of the map entry tree to be
|
|
|
229406 |
deleted can't be used for the key parameter, fix it.
|
|
|
229406 |
|
|
|
229406 |
Signed-off-by: Ian Kent <raven@themaw.net>
|
|
|
229406 |
---
|
|
|
229406 |
CHANGELOG | 1 +
|
|
|
229406 |
lib/mounts.c | 16 +++++++++++++---
|
|
|
229406 |
2 files changed, 14 insertions(+), 3 deletions(-)
|
|
|
229406 |
|
|
|
229406 |
--- autofs-5.1.4.orig/CHANGELOG
|
|
|
229406 |
+++ autofs-5.1.4/CHANGELOG
|
|
|
229406 |
@@ -88,6 +88,7 @@
|
|
|
229406 |
- dont fail on duplicate offset entry tree add.
|
|
|
229406 |
- fix loop under run in cache_get_offset_parent().
|
|
|
229406 |
- simplify cache_add() a little.
|
|
|
229406 |
+- fix use after free in tree_mapent_delete_offset_tree().
|
|
|
229406 |
|
|
|
229406 |
xx/xx/2018 autofs-5.1.5
|
|
|
229406 |
- fix flag file permission.
|
|
|
229406 |
--- autofs-5.1.4.orig/lib/mounts.c
|
|
|
229406 |
+++ autofs-5.1.4/lib/mounts.c
|
|
|
229406 |
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre
|
|
|
229406 |
*/
|
|
|
229406 |
if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
|
|
|
229406 |
struct tree_node *root = MAPENT_ROOT(me);
|
|
|
229406 |
+ char *key;
|
|
|
229406 |
|
|
|
229406 |
- debug(logopt, "deleting offset key %s", me->key);
|
|
|
229406 |
+ key = strdup(me->key);
|
|
|
229406 |
+ if (!key) {
|
|
|
229406 |
+ char buf[MAX_ERR_BUF];
|
|
|
229406 |
+ char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
|
|
|
229406 |
+ error(logopt, "strdup: %s", estr);
|
|
|
229406 |
+ return 0;
|
|
|
229406 |
+ }
|
|
|
229406 |
+
|
|
|
229406 |
+ debug(logopt, "deleting offset key %s", key);
|
|
|
229406 |
|
|
|
229406 |
/* cache_delete won't delete an active offset */
|
|
|
229406 |
MAPENT_SET_ROOT(me, NULL);
|
|
|
229406 |
- ret = cache_delete(me->mc, me->key);
|
|
|
229406 |
+ ret = cache_delete(me->mc, key);
|
|
|
229406 |
if (ret != CHE_OK) {
|
|
|
229406 |
MAPENT_SET_ROOT(me, root);
|
|
|
229406 |
- warn(logopt, "failed to delete offset %s", me->key);
|
|
|
229406 |
+ warn(logopt, "failed to delete offset %s", key);
|
|
|
229406 |
}
|
|
|
229406 |
+ free(key);
|
|
|
229406 |
} else {
|
|
|
229406 |
MAPENT_SET_ROOT(me, NULL);
|
|
|
229406 |
MAPENT_SET_PARENT(me, NULL);
|