Re: [autofs] problems in daemon/lookup.c

Wed, 21 Jan 2009 22:05:47 -0800 

On Thu, 2009-01-22 at 15:55 +1100, Paul Wankadia wrote:
> BTW, I'm still working through the analysis results. A few more
> problems have turned up.

Yeah, I can't see for looking.
Keep'em coming.

> 
> 
> modules/lookup_hosts.c:
>     119 int lookup_mount(struct autofs_point *ap, const char *name,
> int name_len, void *context)
> ...
>     146                 if (!me->mapent) {
>     147                         cache_delete(me->mc, name);
>     148                         me = NULL;
>     149                 }
>     150
>     151                 cache_unlock(me->mc);
> 
> That is a NULL pointer dereference.
> 
> 
> lib/macros.c:
>     163 int macro_parse_globalvar(const char *define)
>     164 {
>     165         char buf[MAX_MACRO_STRING];
>     166         char *pbuf, *value;
>     167
>     168         if (strlen(define) > MAX_MACRO_STRING)
>     169                 return 0;
>     170
>     171         strcpy(buf, define);
> 
> That is a buffer overflow.
> 
> 
> modules/parse_hesiod.c:
>      84 static int parse_nfs(struct autofs_point *ap,
> ...
>     108         for (i = 0; (!isspace(p[i]) && i < (int)
> sizeof(mount)); i++) {
>     109                 mount[i] = p[i];
>     110         }
>     111
>     112         mount[i] = 0;
>     113         p += i;
> 
> That is a buffer overflow. There are six more loops with similar
> problems.
> 
> 
> daemon/indirect.c:
>      86 static int do_mount_autofs_indirect(struct autofs_point *ap,
> const char *root)
> ...
>     160         free(options);
>     161
>     162         ret = stat(root, &st);
>     163         if (ret == -1) {
>     164                 crit(ap->logopt,
>     165                      "failed to stat mount for autofs path %
> s", ap->path);
>     166                 goto out_umount;
>     167         }
> ...
>     185 out_umount:
>     186         umount(root);
>     187 out_rmdir:
>     188         if (ap->flags & MOUNT_FLAG_DIR_CREATED)
>     189                 rmdir(root);
>     190 out_err:
>     191         if (options)
>     192                 free(options);
> 
> That is a double free(3) call.
> 
> 
> lib/cache.c:
>     180 struct mapent_cache *cache_init(struct autofs_point *ap,
> struct map_source *map)
> ...
>     195         mc->hash = malloc(mc->size * sizeof(struct entry *));
> ...
>     231 struct mapent_cache *cache_init_null_cache(struct master
> *master)
> ...
>     246         mc->hash = malloc(mc->size * sizeof(struct entry *));
> 
> `struct mapent *' might be more correct. ;)

_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs

Reply via email to