autofs-5.0.4 - easy alloca replacements fix
From: Ian Kent <raven@themaw.net>
Fix array out of bounds accesses and remove alloca(3) calls from
modules/mount_autofs.c and modules/mount_nfs.c as well.
---
CHANGELOG | 1 +
modules/lookup_ldap.c | 3 ---
modules/mount_autofs.c | 9 ++-------
modules/mount_bind.c | 6 +++++-
modules/mount_changer.c | 6 +++++-
modules/mount_ext2.c | 6 +++++-
modules/mount_generic.c | 6 +++++-
modules/mount_nfs.c | 12 +++++++-----
8 files changed, 30 insertions(+), 19 deletions(-)
--- autofs-5.0.4.orig/CHANGELOG
+++ autofs-5.0.4/CHANGELOG
@@ -20,6 +20,7 @@
- update to configure libtirpc if present.
- update to provide ipv6 name and address support.
- update to provide ipv6 address parsing.
+- easy alloca replacements fix.
4/11/2008 autofs-5.0.4
-----------------------
--- autofs-5.0.4.orig/modules/lookup_ldap.c
+++ autofs-5.0.4/modules/lookup_ldap.c
@@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma
free(query);
return NSS_STATUS_UNAVAIL;
}
- query[l] = '\0';
/* Initialize the LDAP context. */
ldap = do_reconnect(logopt, ctxt);
@@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po
free(sp.query);
return NSS_STATUS_UNAVAIL;
}
- sp.query[l] = '\0';
/* Initialize the LDAP context. */
sp.ldap = do_reconnect(ap->logopt, ctxt);
@@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin
free(query);
return CHE_FAIL;
}
- query[ql] = '\0';
/* Initialize the LDAP context. */
ldap = do_reconnect(ap->logopt, ctxt);
--- autofs-5.0.4.orig/modules/mount_autofs.c
+++ autofs-5.0.4/modules/mount_autofs.c
@@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap,
{
struct startup_cond suc;
pthread_t thid;
- char *realpath, *mountpoint;
+ char realpath[PATH_MAX];
+ char mountpoint[PATH_MAX];
const char **argv;
int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST;
time_t timeout = ap->exp_timeout;
@@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap,
/* Root offset of multi-mount */
len = strlen(root);
if (root[len - 1] == '/') {
- realpath = alloca(strlen(ap->path) + name_len + 2);
- mountpoint = alloca(len + 1);
strcpy(realpath, ap->path);
strcat(realpath, "/");
strcat(realpath, name);
@@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap,
strncpy(mountpoint, root, len);
mountpoint[len] = '\0';
} else if (*name == '/') {
- realpath = alloca(name_len + 1);
- mountpoint = alloca(len + 1);
if (ap->flags & MOUNT_FLAG_REMOUNT) {
strcpy(mountpoint, name);
strcpy(realpath, name);
@@ -81,8 +78,6 @@ int mount_mount(struct autofs_point *ap,
strcpy(realpath, name);
}
} else {
- realpath = alloca(len + name_len + 2);
- mountpoint = alloca(len + name_len + 2);
strcpy(mountpoint, root);
strcat(mountpoint, "/");
strcpy(realpath, mountpoint);
--- autofs-5.0.4.orig/modules/mount_bind.c
+++ autofs-5.0.4/modules/mount_bind.c
@@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap,
len = strlen(root);
if (root[len - 1] == '/') {
len = snprintf(fullpath, len, "%s", root);
- /* Direct mount name is absolute path so don't use root */
} else if (*name == '/') {
+ /*
+ * Direct or offset mount, name is absolute path so
+ * don't use root (but with move mount changes root
+ * is now the same as name).
+ */
len = sprintf(fullpath, "%s", root);
} else {
len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_changer.c
+++ autofs-5.0.4/modules/mount_changer.c
@@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap,
len = strlen(root);
if (root[len - 1] == '/') {
len = snprintf(fullpath, len, "%s", root);
- /* Direct mount name is absolute path so don't use root */
} else if (*name == '/') {
+ /*
+ * Direct or offset mount, name is absolute path so
+ * don't use root (but with move mount changes root
+ * is now the same as name).
+ */
len = sprintf(fullpath, "%s", root);
} else {
len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_ext2.c
+++ autofs-5.0.4/modules/mount_ext2.c
@@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap,
len = strlen(root);
if (root[len - 1] == '/') {
len = snprintf(fullpath, len, "%s", root);
- /* Direct mount name is absolute path so don't use root */
} else if (*name == '/') {
+ /*
+ * Direct or offset mount, name is absolute path so
+ * don't use root (but with move mount changes root
+ * is now the same as name).
+ */
len = sprintf(fullpath, "%s", root);
} else {
len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_generic.c
+++ autofs-5.0.4/modules/mount_generic.c
@@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap,
len = strlen(root);
if (root[len - 1] == '/') {
len = snprintf(fullpath, len, "%s", root);
- /* Direct mount name is absolute path so don't use root */
} else if (*name == '/') {
+ /*
+ * Direct or offset mount, name is absolute path so
+ * don't use root (but with move mount changes root
+ * is now the same as name).
+ */
len = sprintf(fullpath, "%s", root);
} else {
len = sprintf(fullpath, "%s/%s", root, name);
--- autofs-5.0.4.orig/modules/mount_nfs.c
+++ autofs-5.0.4/modules/mount_nfs.c
@@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap,
const char *what, const char *fstype, const char *options,
void *context)
{
- char *fullpath, buf[MAX_ERR_BUF];
+ char fullpath[PATH_MAX];
+ char buf[MAX_ERR_BUF];
struct host *this, *hosts = NULL;
unsigned int vers;
char *nfsoptions = NULL;
@@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap,
/* Root offset of multi-mount */
len = strlen(root);
if (root[len - 1] == '/') {
- fullpath = alloca(len);
len = snprintf(fullpath, len, "%s", root);
- /* Direct mount name is absolute path so don't use root */
} else if (*name == '/') {
- fullpath = alloca(len + 1);
+ /*
+ * Direct or offset mount, name is absolute path so
+ * don't use root (but with move mount changes root
+ * is now the same as name).
+ */
len = sprintf(fullpath, "%s", root);
} else {
- fullpath = alloca(len + name_len + 2);
len = sprintf(fullpath, "%s/%s", root, name);
}
fullpath[len] = '\0';