autofs-5.0.3 - check direct mount path length

From: Ian Kent <raven@themaw.net>

The length of the path corresponding to a direct mount can't be

checked in the kernel so we need to check it will fit into the

request structire before going ahead with the mount. The name

field of the request structure is also to short and so is increased

to PATH_MAX.

---

 CHANGELOG           |    1 +

 daemon/direct.c     |   15 +++++++++++++--

 include/automount.h |    2 +-

 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG

index 2553f26..82b080c 100644

--- a/CHANGELOG

+++ b/CHANGELOG

@@ -20,6 +20,7 @@

 - eliminate redundant DNS name lookups.

 - additional fix incorrect pthreads condition handling for mount requests.

 - allow mount point directory creation for clients with an NFS root.

+- fix direct mount path length not being checked.

 14/01/2008 autofs-5.0.3

 -----------------------

diff --git a/daemon/direct.c b/daemon/direct.c

index 768fbf9..98590ec 100644

--- a/daemon/direct.c

+++ b/daemon/direct.c

@@ -1411,7 +1411,7 @@ static void *do_mount_direct(void *arg)

 	}

 cont:

-	status = lookup_nss_mount(ap, NULL, mt.name, strlen(mt.name));

+	status = lookup_nss_mount(ap, NULL, mt.name, mt.len);

 	/*

 	 * Direct mounts are always a single mount. If it fails there's

 	 * nothing to undo so just complain

@@ -1454,7 +1454,7 @@ int handle_packet_missing_direct(struct autofs_point *ap, autofs_packet_missing_

 	struct pending_args *mt;

 	char buf[MAX_ERR_BUF];

 	int status = 0;

-	int ioctlfd, cl_flags, state;

+	int ioctlfd, len, cl_flags, state;

 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &state);

@@ -1525,6 +1525,16 @@ int handle_packet_missing_direct(struct autofs_point *ap, autofs_packet_missing_

 		return 1;

 	}

+	len = strlen(me->key);

+	if (len >= PATH_MAX) {

+		error(ap->logopt, "direct mount path too long %s", me->key);

+		send_fail(ap->logopt, ioctlfd, pkt->wait_queue_token);

+		close(ioctlfd);

+		cache_unlock(mc);

+		pthread_setcancelstate(state, NULL);

+		return 1;

+	}

+

 	mt = malloc(sizeof(struct pending_args));

 	if (!mt) {

 		char *estr = strerror_r(errno, buf, MAX_ERR_BUF);

@@ -1553,6 +1563,7 @@ int handle_packet_missing_direct(struct autofs_point *ap, autofs_packet_missing_

 	mt->ioctlfd = ioctlfd;

 	mt->mc = mc;

 	strcpy(mt->name, me->key);

+	mt->len = len;

 	mt->dev = me->dev;

 	mt->type = NFY_MOUNT;

 	mt->uid = pkt->uid;

diff --git a/include/automount.h b/include/automount.h

index d59be77..72e2457 100644

--- a/include/automount.h

+++ b/include/automount.h

@@ -409,7 +409,7 @@ struct pending_args {

 	int type;			/* Type of packet */

 	int ioctlfd;			/* Mount ioctl fd */

 	struct mapent_cache *mc;	/* Cache Containing entry */

-	char name[KEY_MAX_LEN];		/* Name field of the request */

+	char name[PATH_MAX];		/* Name field of the request */

 	dev_t dev;			/* device number of mount */

 	unsigned int len;		/* Name field len */

 	uid_t uid;			/* uid of requestor */