autofs-5.0.6 - fix segmentation fault in do_remount_indirect()

From: Leonardo Chiquitto <leonardo.lists@gmail.com>

In some rare circumstance, it's possible that automount will crash
on startup while trying to reconnect to a "half-broken" NFS mount
point.

The segmentation fault happens because we're not testing scandir()'s
return value in do_remount_indirect():

lib/mounts.c:
1210       i = j = scandir(buf, &de2, 0, alphasort);
1211       while (i--)
1212         free(de2[i]);

So, if scandir() returns -1, it will try to free de2[-1], de2[-2], etc.

Here's the call trace, for reference:

Program terminated with signal 11, Segmentation fault.
#0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
    path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
1212                    free(de2[i]);
(gdb) print j
$1 = -1
(gdb) print de2
$3 = (struct dirent **) 0x0

#0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
    path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
#1  0x00007ffff7fe2a48 in remount_active_mount (ap=0x7ffff821e070, mc=0x0,
    path=0x7ffff821e150 "/nfs/iil", devid=20, type=<optimized out>,
    ioctlfd=0x7ffff6e5babc) at mounts.c:1327
#2  0x00007ffff7fe2ac6 in try_remount (ap=0x7ffff821e070, me=0x0, type=1)
    at mounts.c:1357
#3  0x00007ffff7fd35e0 in do_mount_autofs_indirect (root=<optimized out>,
    ap=<optimized out>) at indirect.c:103
#4  mount_autofs_indirect (ap=0x7ffff821e070, root=0x7ffff8202d50 "/nfs/iil")
    at indirect.c:213
#5  0x00007ffff7fd1473 in mount_autofs (root=<optimized out>,
    ap=<optimized out>) at automount.c:1005
#6  handle_mounts (arg=0x7fffffffdfd0) at automount.c:1526
#7  0x00007ffff7b8e5f0 in start_thread (arg=<optimized out>)
    at pthread_create.c:297
#8  0x00007ffff6f3187d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()

Suggested fix:

Check scandir() return value

In some rare circumstance, it's possible that automount will crash
on startup while trying to reconnect to a "half-broken" NFS mount
point.
---

 CHANGELOG    |    1 +
 lib/mounts.c |    4 ++++
 2 files changed, 5 insertions(+)


--- autofs-5.0.6.orig/CHANGELOG
+++ autofs-5.0.6/CHANGELOG
@@ -30,6 +30,7 @@
 - rework error return handling in rpc code.
 - catch EHOSTUNREACH and bail out early.
 - systemd support fixes.
+- check scandir() return value.
 
 28/06/2011 autofs-5.0.6
 -----------------------
--- autofs-5.0.6.orig/lib/mounts.c
+++ autofs-5.0.6/lib/mounts.c
@@ -1355,6 +1355,10 @@ static int do_remount_indirect(struct au
 			int i, j;
 
 			i = j = scandir(buf, &de2, 0, alphasort);
+			if (i < 0) {
+				free(de[n]);
+				continue;
+			}
 			while (i--)
 				free(de2[i]);
 			free(de2);