BTW, I'm still working through the analysis results. A few more problems
have turned up.
modules/lookup_hosts.c:
119 int lookup_mount(struct autofs_point *ap, const char *name, int
name_len, void *context)
...
146 if (!me->mapent) {
147 cache_delete(me->mc, name);
148 me = NULL;
149 }
150
151 cache_unlock(me->mc);
That is a NULL pointer dereference.
lib/macros.c:
163 int macro_parse_globalvar(const char *define)
164 {
165 char buf[MAX_MACRO_STRING];
166 char *pbuf, *value;
167
168 if (strlen(define) > MAX_MACRO_STRING)
169 return 0;
170
171 strcpy(buf, define);
That is a buffer overflow.
modules/parse_hesiod.c:
84 static int parse_nfs(struct autofs_point *ap,
...
108 for (i = 0; (!isspace(p[i]) && i < (int) sizeof(mount));
i++) {
109 mount[i] = p[i];
110 }
111
112 mount[i] = 0;
113 p += i;
That is a buffer overflow. There are six more loops with similar problems.
daemon/indirect.c:
86 static int do_mount_autofs_indirect(struct autofs_point *ap, const
char *root)
...
160 free(options);
161
162 ret = stat(root, &st);
163 if (ret == -1) {
164 crit(ap->logopt,
165 "failed to stat mount for autofs path %s",
ap->path);
166 goto out_umount;
167 }
...
185 out_umount:
186 umount(root);
187 out_rmdir:
188 if (ap->flags & MOUNT_FLAG_DIR_CREATED)
189 rmdir(root);
190 out_err:
191 if (options)
192 free(options);
That is a double free(3) call.
lib/cache.c:
180 struct mapent_cache *cache_init(struct autofs_point *ap, struct
map_source *map)
...
195 mc->hash = malloc(mc->size * sizeof(struct entry *));
...
231 struct mapent_cache *cache_init_null_cache(struct master *master)
...
246 mc->hash = malloc(mc->size * sizeof(struct entry *));
`struct mapent *' might be more correct. ;)
_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs
