[packages/autofs.git] / autofs-5.0.4-easy-alloca-replacements-fix.patch

autofs-5.0.4 - easy alloca replacements fix

From: Ian Kent <raven@themaw.net>

Fix array out of bounds accesses and remove alloca(3) calls from
modules/mount_autofs.c and modules/mount_nfs.c as well.
---

 CHANGELOG               |    2 +-
 modules/lookup_ldap.c   |    3 ---
 modules/mount_autofs.c  |    9 ++-------
 modules/mount_bind.c    |    6 +++++-
 modules/mount_changer.c |    6 +++++-
 modules/mount_ext2.c    |    6 +++++-
 modules/mount_generic.c |    6 +++++-
 modules/mount_nfs.c     |   12 +++++++-----
 8 files changed, 30 insertions(+), 20 deletions(-)


--- autofs-5.0.4.orig/CHANGELOG
+++ autofs-5.0.4/CHANGELOG
@@ -20,7 +20,7 @@
 - update to configure libtirpc if present.
 - update to provide ipv6 name and address support.
 - update to provide ipv6 address parsing.
-
+- easy alloca replacements fix.
 
 4/11/2008 autofs-5.0.4
 -----------------------
--- autofs-5.0.4.orig/modules/lookup_ldap.c
+++ autofs-5.0.4/modules/lookup_ldap.c
@@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma
 		free(query);
 		return NSS_STATUS_UNAVAIL;
 	}
-	query[l] = '\0';
 
 	/* Initialize the LDAP context. */
 	ldap = do_reconnect(logopt, ctxt);
@@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po
 		free(sp.query);
 		return NSS_STATUS_UNAVAIL;
 	}
-	sp.query[l] = '\0';
 
 	/* Initialize the LDAP context. */
 	sp.ldap = do_reconnect(ap->logopt, ctxt);
@@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin
 		free(query);
 		return CHE_FAIL;
 	}
-	query[ql] = '\0';
 
 	/* Initialize the LDAP context. */
 	ldap = do_reconnect(ap->logopt, ctxt);
--- autofs-5.0.4.orig/modules/mount_autofs.c
+++ autofs-5.0.4/modules/mount_autofs.c
@@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap,
 {
 	struct startup_cond suc;
 	pthread_t thid;
-	char *realpath, *mountpoint;
+	char realpath[PATH_MAX];
+	char mountpoint[PATH_MAX];
 	const char **argv;
 	int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST;
 	time_t timeout = ap->exp_timeout;
@@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap,
 	/* Root offset of multi-mount */
 	len = strlen(root);
 	if (root[len - 1] == '/') {
-		realpath = alloca(strlen(ap->path) + name_len + 2);
-		mountpoint = alloca(len + 1);
 		strcpy(realpath, ap->path);
 		strcat(realpath, "/");
 		strcat(realpath, name);
@@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap,
 		strncpy(mountpoint, root, len);
 		mountpoint[len] = '\0';
 	} else if (*name == '/') {
-		realpath = alloca(name_len + 1);
-		mountpoint = alloca(len + 1);
 		if (ap->flags & MOUNT_FLAG_REMOUNT) {
 			strcpy(mountpoint, name);
 			strcpy(realpath, name);
@@ -81,8 +78,6 @@ int mount_mount(struct autofs_point *ap,
 			strcpy(realpath, name);
 		}
 	} else {
-		realpath = alloca(len + name_len + 2);
-		mountpoint = alloca(len + name_len + 2);
 		strcpy(mountpoint, root);
 		strcat(mountpoint, "/");
 		strcpy(realpath, mountpoint);
--- autofs-5.0.4.orig/modules/mount_bind.c
+++ autofs-5.0.4/modules/mount_bind.c
@@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap,
 	len = strlen(root);
 	if (root[len - 1] == '/') {
 		len = snprintf(fullpath, len, "%s", root);
-	/* Direct mount name is absolute path so don't use root */
 	} else if (*name == '/') {
+		/*
+		 * Direct or offset mount, name is absolute path so
+		 * don't use root (but with move mount changes root
+		 * is now the same as name).
+		 */
 		len = sprintf(fullpath, "%s", root);
 	} else {
 		len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_changer.c
+++ autofs-5.0.4/modules/mount_changer.c
@@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap,
 	len = strlen(root);
 	if (root[len - 1] == '/') {
 		len = snprintf(fullpath, len, "%s", root);
-	/* Direct mount name is absolute path so don't use root */
 	} else if (*name == '/') {
+		/*
+		 * Direct or offset mount, name is absolute path so
+		 * don't use root (but with move mount changes root
+		 * is now the same as name).
+		 */
 		len = sprintf(fullpath, "%s", root);
 	} else {
 		len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_ext2.c
+++ autofs-5.0.4/modules/mount_ext2.c
@@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap,
 	len = strlen(root);
 	if (root[len - 1] == '/') {
 		len = snprintf(fullpath, len, "%s", root);
-	/* Direct mount name is absolute path so don't use root */
 	} else if (*name == '/') {
+		/*
+		 * Direct or offset mount, name is absolute path so
+		 * don't use root (but with move mount changes root
+		 * is now the same as name).
+		 */
 		len = sprintf(fullpath, "%s", root);
 	} else {
 		len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_generic.c
+++ autofs-5.0.4/modules/mount_generic.c
@@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap,
 	len = strlen(root);
 	if (root[len - 1] == '/') {
 		len = snprintf(fullpath, len, "%s", root);
-	/* Direct mount name is absolute path so don't use root */
 	} else if (*name == '/') {
+		/*
+		 * Direct or offset mount, name is absolute path so
+		 * don't use root (but with move mount changes root
+		 * is now the same as name).
+		 */
 		len = sprintf(fullpath, "%s", root);
 	} else {
 		len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_nfs.c
+++ autofs-5.0.4/modules/mount_nfs.c
@@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap,
 		const char *what, const char *fstype, const char *options,
 		void *context)
 {
-	char *fullpath, buf[MAX_ERR_BUF];
+	char fullpath[PATH_MAX];
+	char buf[MAX_ERR_BUF];
 	struct host *this, *hosts = NULL;
 	unsigned int vers;
 	char *nfsoptions = NULL;
@@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap,
 	/* Root offset of multi-mount */
 	len = strlen(root);
 	if (root[len - 1] == '/') {
-		fullpath = alloca(len);
 		len = snprintf(fullpath, len, "%s", root);
-	/* Direct mount name is absolute path so don't use root */
 	} else if (*name == '/') {
-		fullpath = alloca(len + 1);
+		/*
+		 * Direct or offset mount, name is absolute path so
+		 * don't use root (but with move mount changes root
+		 * is now the same as name).
+		 */
 		len = sprintf(fullpath, "%s", root);
 	} else {
-		fullpath = alloca(len + name_len + 2);
 		len = sprintf(fullpath, "%s/%s", root, name);
 	}
 	fullpath[len] = '\0';
Commit	Line	Data
e5fd101c PS	1	autofs-5.0.4 - easy alloca replacements fix
	2
	3	From: Ian Kent <raven@themaw.net>
	4
	5	Fix array out of bounds accesses and remove alloca(3) calls from
	6	modules/mount_autofs.c and modules/mount_nfs.c as well.
	7	---
	8
	9	CHANGELOG \| 2 +-
	10	modules/lookup_ldap.c \| 3 ---
	11	modules/mount_autofs.c \| 9 ++-------
	12	modules/mount_bind.c \| 6 +++++-
	13	modules/mount_changer.c \| 6 +++++-
	14	modules/mount_ext2.c \| 6 +++++-
	15	modules/mount_generic.c \| 6 +++++-
	16	modules/mount_nfs.c \| 12 +++++++-----
	17	8 files changed, 30 insertions(+), 20 deletions(-)
	18
	19
	20	--- autofs-5.0.4.orig/CHANGELOG
	21	+++ autofs-5.0.4/CHANGELOG
	22	@@ -20,7 +20,7 @@
	23	- update to configure libtirpc if present.
	24	- update to provide ipv6 name and address support.
	25	- update to provide ipv6 address parsing.
	26	-
	27	+- easy alloca replacements fix.
	28
	29	4/11/2008 autofs-5.0.4
	30	-----------------------
	31	--- autofs-5.0.4.orig/modules/lookup_ldap.c
	32	+++ autofs-5.0.4/modules/lookup_ldap.c
	33	@@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma
	34	free(query);
	35	return NSS_STATUS_UNAVAIL;
	36	}
	37	- query[l] = '\0';
	38
	39	/* Initialize the LDAP context. */
	40	ldap = do_reconnect(logopt, ctxt);
	41	@@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po
	42	free(sp.query);
	43	return NSS_STATUS_UNAVAIL;
	44	}
	45	- sp.query[l] = '\0';
	46
	47	/* Initialize the LDAP context. */
	48	sp.ldap = do_reconnect(ap->logopt, ctxt);
	49	@@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin
	50	free(query);
	51	return CHE_FAIL;
	52	}
	53	- query[ql] = '\0';
	54
	55	/* Initialize the LDAP context. */
	56	ldap = do_reconnect(ap->logopt, ctxt);
	57	--- autofs-5.0.4.orig/modules/mount_autofs.c
	58	+++ autofs-5.0.4/modules/mount_autofs.c
	59	@@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap,
	60	{
	61	struct startup_cond suc;
	62	pthread_t thid;
	63	- char realpath, mountpoint;
	64	+ char realpath[PATH_MAX];
65	+ char mountpoint[PATH_MAX];
66	const char **argv;
67	int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST;
68	time_t timeout = ap->exp_timeout;
69	@@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap,
70	/* Root offset of multi-mount */
71	len = strlen(root);
72	if (root[len - 1] == '/') {
73	- realpath = alloca(strlen(ap->path) + name_len + 2);
74	- mountpoint = alloca(len + 1);
75	strcpy(realpath, ap->path);
76	strcat(realpath, "/");
77	strcat(realpath, name);
78	@@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap,
79	strncpy(mountpoint, root, len);
80	mountpoint[len] = '\0';
81	} else if (*name == '/') {
82	- realpath = alloca(name_len + 1);
83	- mountpoint = alloca(len + 1);
84	if (ap->flags & MOUNT_FLAG_REMOUNT) {
85	strcpy(mountpoint, name);
86	strcpy(realpath, name);
87	@@ -81,8 +78,6 @@ int mount_mount(struct autofs_point *ap,
88	strcpy(realpath, name);
89	}
90	} else {
91	- realpath = alloca(len + name_len + 2);
92	- mountpoint = alloca(len + name_len + 2);
93	strcpy(mountpoint, root);
94	strcat(mountpoint, "/");
95	strcpy(realpath, mountpoint);
96	--- autofs-5.0.4.orig/modules/mount_bind.c
97	+++ autofs-5.0.4/modules/mount_bind.c
98	@@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap,
99	len = strlen(root);
100	if (root[len - 1] == '/') {
101	len = snprintf(fullpath, len, "%s", root);
102	- /* Direct mount name is absolute path so don't use root */
103	} else if (*name == '/') {
104	+ /*
105	+ * Direct or offset mount, name is absolute path so
106	+ * don't use root (but with move mount changes root
107	+ * is now the same as name).
108	+ */
109	len = sprintf(fullpath, "%s", root);
110	} else {
111	len = sprintf(fullpath, "%s/%s", root, name);
112	--- autofs-5.0.4.orig/modules/mount_changer.c
113	+++ autofs-5.0.4/modules/mount_changer.c
114	@@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap,
115	len = strlen(root);
116	if (root[len - 1] == '/') {
117	len = snprintf(fullpath, len, "%s", root);
118	- /* Direct mount name is absolute path so don't use root */
119	} else if (*name == '/') {
120	+ /*
121	+ * Direct or offset mount, name is absolute path so
122	+ * don't use root (but with move mount changes root
123	+ * is now the same as name).
124	+ */
125	len = sprintf(fullpath, "%s", root);
126	} else {
127	len = sprintf(fullpath, "%s/%s", root, name);
128	--- autofs-5.0.4.orig/modules/mount_ext2.c
129	+++ autofs-5.0.4/modules/mount_ext2.c
130	@@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap,
131	len = strlen(root);
132	if (root[len - 1] == '/') {
133	len = snprintf(fullpath, len, "%s", root);
134	- /* Direct mount name is absolute path so don't use root */
135	} else if (*name == '/') {
136	+ /*
137	+ * Direct or offset mount, name is absolute path so
138	+ * don't use root (but with move mount changes root
139	+ * is now the same as name).
140	+ */
141	len = sprintf(fullpath, "%s", root);
142	} else {
143	len = sprintf(fullpath, "%s/%s", root, name);
144	--- autofs-5.0.4.orig/modules/mount_generic.c
145	+++ autofs-5.0.4/modules/mount_generic.c
146	@@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap,
147	len = strlen(root);
148	if (root[len - 1] == '/') {
149	len = snprintf(fullpath, len, "%s", root);
150	- /* Direct mount name is absolute path so don't use root */
151	} else if (*name == '/') {
152	+ /*
153	+ * Direct or offset mount, name is absolute path so
154	+ * don't use root (but with move mount changes root
155	+ * is now the same as name).
156	+ */
157	len = sprintf(fullpath, "%s", root);
158	} else {
159	len = sprintf(fullpath, "%s/%s", root, name);
160	--- autofs-5.0.4.orig/modules/mount_nfs.c
161	+++ autofs-5.0.4/modules/mount_nfs.c
162	@@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap,
163	const char what, const char fstype, const char *options,
164	void *context)
165	{
166	- char *fullpath, buf[MAX_ERR_BUF];
167	+ char fullpath[PATH_MAX];
168	+ char buf[MAX_ERR_BUF];
169	struct host this, hosts = NULL;
170	unsigned int vers;
171	char *nfsoptions = NULL;
172	@@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap,
173	/* Root offset of multi-mount */
174	len = strlen(root);
175	if (root[len - 1] == '/') {
176	- fullpath = alloca(len);
177	len = snprintf(fullpath, len, "%s", root);
178	- /* Direct mount name is absolute path so don't use root */
179	} else if (*name == '/') {
180	- fullpath = alloca(len + 1);
181	+ /*
182	+ * Direct or offset mount, name is absolute path so
183	+ * don't use root (but with move mount changes root
184	+ * is now the same as name).
185	+ */
186	len = sprintf(fullpath, "%s", root);
187	} else {
188	- fullpath = alloca(len + name_len + 2);
189	len = sprintf(fullpath, "%s/%s", root, name);
190	}
191	fullpath[len] = '\0';