diff --git a/autofs-5.0.4-easy-alloca-replacements-fix.patch b/autofs-5.0.4-easy-alloca-replacements-fix.patch new file mode 100644 index 0000000..6be5782 --- /dev/null +++ b/autofs-5.0.4-easy-alloca-replacements-fix.patch @@ -0,0 +1,195 @@ +autofs-5.0.4 - easy alloca replacements fix + +From: Ian Kent + +Fix array out of bounds accesses and remove alloca(3) calls from +modules/mount_autofs.c and modules/mount_nfs.c as well. +--- + + CHANGELOG | 1 + + modules/lookup_ldap.c | 3 --- + modules/mount_autofs.c | 11 +++-------- + modules/mount_bind.c | 6 +++++- + modules/mount_changer.c | 6 +++++- + modules/mount_ext2.c | 6 +++++- + modules/mount_generic.c | 6 +++++- + modules/mount_nfs.c | 12 +++++++----- + 8 files changed, 31 insertions(+), 20 deletions(-) + + +--- autofs-5.0.4.orig/CHANGELOG ++++ autofs-5.0.4/CHANGELOG +@@ -20,6 +20,7 @@ + - update to configure libtirpc if present. + - update to provide ipv6 name and address support. + - update to provide ipv6 address parsing. ++- easy alloca replacements fix. + + 4/11/2008 autofs-5.0.4 + ----------------------- +--- autofs-5.0.4.orig/modules/lookup_ldap.c ++++ autofs-5.0.4/modules/lookup_ldap.c +@@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma + free(query); + return NSS_STATUS_UNAVAIL; + } +- query[l] = '\0'; + + /* Initialize the LDAP context. */ + ldap = do_reconnect(logopt, ctxt); +@@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po + free(sp.query); + return NSS_STATUS_UNAVAIL; + } +- sp.query[l] = '\0'; + + /* Initialize the LDAP context. */ + sp.ldap = do_reconnect(ap->logopt, ctxt); +@@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin + free(query); + return CHE_FAIL; + } +- query[ql] = '\0'; + + /* Initialize the LDAP context. */ + ldap = do_reconnect(ap->logopt, ctxt); +--- autofs-5.0.4.orig/modules/mount_autofs.c ++++ autofs-5.0.4/modules/mount_autofs.c +@@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap, + { + struct startup_cond suc; + pthread_t thid; +- char *realpath, *mountpoint; ++ char realpath[PATH_MAX]; ++ char mountpoint[PATH_MAX]; + const char **argv; + int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST; + time_t timeout = ap->exp_timeout; +@@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap, + /* Root offset of multi-mount */ + len = strlen(root); + if (root[len - 1] == '/') { +- realpath = alloca(strlen(ap->path) + name_len + 2); +- mountpoint = alloca(len + 1); + strcpy(realpath, ap->path); + strcat(realpath, "/"); + strcat(realpath, name); +@@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap, + strncpy(mountpoint, root, len); + mountpoint[len] = '\0'; + } else if (*name == '/') { +- realpath = alloca(name_len + 1); +- mountpoint = alloca(len + 1); + if (ap->flags & MOUNT_FLAG_REMOUNT) { + strcpy(mountpoint, name); + strcpy(realpath, name); +@@ -81,12 +78,10 @@ int mount_mount(struct autofs_point *ap, + strcpy(realpath, name); + } + } else { +- realpath = alloca(len + name_len + 2); +- mountpoint = alloca(len + name_len + 2); + strcpy(mountpoint, root); + strcat(mountpoint, "/"); +- strcpy(realpath, mountpoint); + strcat(mountpoint, name); ++ strcpy(realpath, mountpoint); + strcat(realpath, name); + } + +--- autofs-5.0.4.orig/modules/mount_bind.c ++++ autofs-5.0.4/modules/mount_bind.c +@@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap, + len = strlen(root); + if (root[len - 1] == '/') { + len = snprintf(fullpath, len, "%s", root); +- /* Direct mount name is absolute path so don't use root */ + } else if (*name == '/') { ++ /* ++ * Direct or offset mount, name is absolute path so ++ * don't use root (but with move mount changes root ++ * is now the same as name). ++ */ + len = sprintf(fullpath, "%s", root); + } else { + len = sprintf(fullpath, "%s/%s", root, name); +--- autofs-5.0.4.orig/modules/mount_changer.c ++++ autofs-5.0.4/modules/mount_changer.c +@@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap, + len = strlen(root); + if (root[len - 1] == '/') { + len = snprintf(fullpath, len, "%s", root); +- /* Direct mount name is absolute path so don't use root */ + } else if (*name == '/') { ++ /* ++ * Direct or offset mount, name is absolute path so ++ * don't use root (but with move mount changes root ++ * is now the same as name). ++ */ + len = sprintf(fullpath, "%s", root); + } else { + len = sprintf(fullpath, "%s/%s", root, name); +--- autofs-5.0.4.orig/modules/mount_ext2.c ++++ autofs-5.0.4/modules/mount_ext2.c +@@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap, + len = strlen(root); + if (root[len - 1] == '/') { + len = snprintf(fullpath, len, "%s", root); +- /* Direct mount name is absolute path so don't use root */ + } else if (*name == '/') { ++ /* ++ * Direct or offset mount, name is absolute path so ++ * don't use root (but with move mount changes root ++ * is now the same as name). ++ */ + len = sprintf(fullpath, "%s", root); + } else { + len = sprintf(fullpath, "%s/%s", root, name); +--- autofs-5.0.4.orig/modules/mount_generic.c ++++ autofs-5.0.4/modules/mount_generic.c +@@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap, + len = strlen(root); + if (root[len - 1] == '/') { + len = snprintf(fullpath, len, "%s", root); +- /* Direct mount name is absolute path so don't use root */ + } else if (*name == '/') { ++ /* ++ * Direct or offset mount, name is absolute path so ++ * don't use root (but with move mount changes root ++ * is now the same as name). ++ */ + len = sprintf(fullpath, "%s", root); + } else { + len = sprintf(fullpath, "%s/%s", root, name); +--- autofs-5.0.4.orig/modules/mount_nfs.c ++++ autofs-5.0.4/modules/mount_nfs.c +@@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap, + const char *what, const char *fstype, const char *options, + void *context) + { +- char *fullpath, buf[MAX_ERR_BUF]; ++ char fullpath[PATH_MAX]; ++ char buf[MAX_ERR_BUF]; + struct host *this, *hosts = NULL; + unsigned int vers; + char *nfsoptions = NULL; +@@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap, + /* Root offset of multi-mount */ + len = strlen(root); + if (root[len - 1] == '/') { +- fullpath = alloca(len); + len = snprintf(fullpath, len, "%s", root); +- /* Direct mount name is absolute path so don't use root */ + } else if (*name == '/') { +- fullpath = alloca(len + 1); ++ /* ++ * Direct or offset mount, name is absolute path so ++ * don't use root (but with move mount changes root ++ * is now the same as name). ++ */ + len = sprintf(fullpath, "%s", root); + } else { +- fullpath = alloca(len + name_len + 2); + len = sprintf(fullpath, "%s/%s", root, name); + } + fullpath[len] = '\0'; diff --git a/autofs.spec b/autofs.spec index 89d627e..31ac167 100644 --- a/autofs.spec +++ b/autofs.spec @@ -4,7 +4,7 @@ Summary: A tool for automatically mounting and unmounting filesystems Name: autofs Version: 5.0.4 -Release: 10 +Release: 11 Epoch: 1 License: GPLv2+ Group: System Environment/Daemons @@ -32,6 +32,7 @@ Patch19: autofs-5.0.4-configure-libtirpc.patch Patch20: autofs-5.0.4-ipv6-name-and-address-support.patch Patch21: autofs-5.0.4-ipv6-parse.patch Patch22: autofs-5.0.4-use-CLOEXEC-flag-setmntent-include-fix.patch +Patch23: autofs-5.0.4-easy-alloca-replacements-fix.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, hesiod-devel, openldap-devel, bison, flex, libxml2-devel, cyrus-sasl-devel, openssl-devel module-init-tools util-linux nfs-utils e2fsprogs Requires: kernel >= 2.6.17 @@ -95,6 +96,7 @@ echo %{version}-%{release} > .version %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 %build #CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr --libdir=%{_libdir} @@ -147,6 +149,9 @@ fi %{_libdir}/autofs/ %changelog +* Thu Feb 19 2009 Ian Kent - 5.0.4-11 +- fix array out of bounds accesses and cleanup couple of other alloca() calls. + * Thu Feb 19 2009 Ian Kent - 5.0.4-10 - fix mntent.h not included before use of setmntent_r().