1 autofs-5.0.4 - easy alloca replacements fix
3 From: Ian Kent <raven@themaw.net>
5 Fix array out of bounds accesses and remove alloca(3) calls from
6 modules/mount_autofs.c and modules/mount_nfs.c as well.
10 modules/lookup_ldap.c | 3 ---
11 modules/mount_autofs.c | 9 ++-------
12 modules/mount_bind.c | 6 +++++-
13 modules/mount_changer.c | 6 +++++-
14 modules/mount_ext2.c | 6 +++++-
15 modules/mount_generic.c | 6 +++++-
16 modules/mount_nfs.c | 12 +++++++-----
17 8 files changed, 30 insertions(+), 20 deletions(-)
20 --- autofs-5.0.4.orig/CHANGELOG
21 +++ autofs-5.0.4/CHANGELOG
23 - update to configure libtirpc if present.
24 - update to provide ipv6 name and address support.
25 - update to provide ipv6 address parsing.
27 +- easy alloca replacements fix.
29 4/11/2008 autofs-5.0.4
30 -----------------------
31 --- autofs-5.0.4.orig/modules/lookup_ldap.c
32 +++ autofs-5.0.4/modules/lookup_ldap.c
33 @@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma
35 return NSS_STATUS_UNAVAIL;
39 /* Initialize the LDAP context. */
40 ldap = do_reconnect(logopt, ctxt);
41 @@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po
43 return NSS_STATUS_UNAVAIL;
47 /* Initialize the LDAP context. */
48 sp.ldap = do_reconnect(ap->logopt, ctxt);
49 @@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin
55 /* Initialize the LDAP context. */
56 ldap = do_reconnect(ap->logopt, ctxt);
57 --- autofs-5.0.4.orig/modules/mount_autofs.c
58 +++ autofs-5.0.4/modules/mount_autofs.c
59 @@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap,
61 struct startup_cond suc;
63 - char *realpath, *mountpoint;
64 + char realpath[PATH_MAX];
65 + char mountpoint[PATH_MAX];
67 int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST;
68 time_t timeout = ap->exp_timeout;
69 @@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap,
70 /* Root offset of multi-mount */
72 if (root[len - 1] == '/') {
73 - realpath = alloca(strlen(ap->path) + name_len + 2);
74 - mountpoint = alloca(len + 1);
75 strcpy(realpath, ap->path);
76 strcat(realpath, "/");
77 strcat(realpath, name);
78 @@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap,
79 strncpy(mountpoint, root, len);
80 mountpoint[len] = '\0';
81 } else if (*name == '/') {
82 - realpath = alloca(name_len + 1);
83 - mountpoint = alloca(len + 1);
84 if (ap->flags & MOUNT_FLAG_REMOUNT) {
85 strcpy(mountpoint, name);
86 strcpy(realpath, name);
87 @@ -81,8 +78,6 @@ int mount_mount(struct autofs_point *ap,
88 strcpy(realpath, name);
91 - realpath = alloca(len + name_len + 2);
92 - mountpoint = alloca(len + name_len + 2);
93 strcpy(mountpoint, root);
94 strcat(mountpoint, "/");
95 strcpy(realpath, mountpoint);
96 --- autofs-5.0.4.orig/modules/mount_bind.c
97 +++ autofs-5.0.4/modules/mount_bind.c
98 @@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap,
100 if (root[len - 1] == '/') {
101 len = snprintf(fullpath, len, "%s", root);
102 - /* Direct mount name is absolute path so don't use root */
103 } else if (*name == '/') {
105 + * Direct or offset mount, name is absolute path so
106 + * don't use root (but with move mount changes root
107 + * is now the same as name).
109 len = sprintf(fullpath, "%s", root);
111 len = sprintf(fullpath, "%s/%s", root, name);
112 --- autofs-5.0.4.orig/modules/mount_changer.c
113 +++ autofs-5.0.4/modules/mount_changer.c
114 @@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap,
116 if (root[len - 1] == '/') {
117 len = snprintf(fullpath, len, "%s", root);
118 - /* Direct mount name is absolute path so don't use root */
119 } else if (*name == '/') {
121 + * Direct or offset mount, name is absolute path so
122 + * don't use root (but with move mount changes root
123 + * is now the same as name).
125 len = sprintf(fullpath, "%s", root);
127 len = sprintf(fullpath, "%s/%s", root, name);
128 --- autofs-5.0.4.orig/modules/mount_ext2.c
129 +++ autofs-5.0.4/modules/mount_ext2.c
130 @@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap,
132 if (root[len - 1] == '/') {
133 len = snprintf(fullpath, len, "%s", root);
134 - /* Direct mount name is absolute path so don't use root */
135 } else if (*name == '/') {
137 + * Direct or offset mount, name is absolute path so
138 + * don't use root (but with move mount changes root
139 + * is now the same as name).
141 len = sprintf(fullpath, "%s", root);
143 len = sprintf(fullpath, "%s/%s", root, name);
144 --- autofs-5.0.4.orig/modules/mount_generic.c
145 +++ autofs-5.0.4/modules/mount_generic.c
146 @@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap,
148 if (root[len - 1] == '/') {
149 len = snprintf(fullpath, len, "%s", root);
150 - /* Direct mount name is absolute path so don't use root */
151 } else if (*name == '/') {
153 + * Direct or offset mount, name is absolute path so
154 + * don't use root (but with move mount changes root
155 + * is now the same as name).
157 len = sprintf(fullpath, "%s", root);
159 len = sprintf(fullpath, "%s/%s", root, name);
160 --- autofs-5.0.4.orig/modules/mount_nfs.c
161 +++ autofs-5.0.4/modules/mount_nfs.c
162 @@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap,
163 const char *what, const char *fstype, const char *options,
166 - char *fullpath, buf[MAX_ERR_BUF];
167 + char fullpath[PATH_MAX];
168 + char buf[MAX_ERR_BUF];
169 struct host *this, *hosts = NULL;
171 char *nfsoptions = NULL;
172 @@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap,
173 /* Root offset of multi-mount */
175 if (root[len - 1] == '/') {
176 - fullpath = alloca(len);
177 len = snprintf(fullpath, len, "%s", root);
178 - /* Direct mount name is absolute path so don't use root */
179 } else if (*name == '/') {
180 - fullpath = alloca(len + 1);
182 + * Direct or offset mount, name is absolute path so
183 + * don't use root (but with move mount changes root
184 + * is now the same as name).
186 len = sprintf(fullpath, "%s", root);
188 - fullpath = alloca(len + name_len + 2);
189 len = sprintf(fullpath, "%s/%s", root, name);
191 fullpath[len] = '\0';