autofs-5.0.4 - easy alloca replacements fix From: Ian Kent Fix array out of bounds accesses and remove alloca(3) calls from modules/mount_autofs.c and modules/mount_nfs.c as well. --- CHANGELOG | 2 +- modules/lookup_ldap.c | 3 --- modules/mount_autofs.c | 9 ++------- modules/mount_bind.c | 6 +++++- modules/mount_changer.c | 6 +++++- modules/mount_ext2.c | 6 +++++- modules/mount_generic.c | 6 +++++- modules/mount_nfs.c | 12 +++++++----- 8 files changed, 30 insertions(+), 20 deletions(-) --- autofs-5.0.4.orig/CHANGELOG +++ autofs-5.0.4/CHANGELOG @@ -20,7 +20,7 @@ - update to configure libtirpc if present. - update to provide ipv6 name and address support. - update to provide ipv6 address parsing. - +- easy alloca replacements fix. 4/11/2008 autofs-5.0.4 ----------------------- --- autofs-5.0.4.orig/modules/lookup_ldap.c +++ autofs-5.0.4/modules/lookup_ldap.c @@ -1474,7 +1474,6 @@ int lookup_read_master(struct master *ma free(query); return NSS_STATUS_UNAVAIL; } - query[l] = '\0'; /* Initialize the LDAP context. */ ldap = do_reconnect(logopt, ctxt); @@ -2213,7 +2212,6 @@ static int read_one_map(struct autofs_po free(sp.query); return NSS_STATUS_UNAVAIL; } - sp.query[l] = '\0'; /* Initialize the LDAP context. */ sp.ldap = do_reconnect(ap->logopt, ctxt); @@ -2404,7 +2402,6 @@ static int lookup_one(struct autofs_poin free(query); return CHE_FAIL; } - query[ql] = '\0'; /* Initialize the LDAP context. */ ldap = do_reconnect(ap->logopt, ctxt); --- autofs-5.0.4.orig/modules/mount_autofs.c +++ autofs-5.0.4/modules/mount_autofs.c @@ -45,7 +45,8 @@ int mount_mount(struct autofs_point *ap, { struct startup_cond suc; pthread_t thid; - char *realpath, *mountpoint; + char realpath[PATH_MAX]; + char mountpoint[PATH_MAX]; const char **argv; int argc, status, ghost = ap->flags & MOUNT_FLAG_GHOST; time_t timeout = ap->exp_timeout; @@ -62,8 +63,6 @@ int mount_mount(struct autofs_point *ap, /* Root offset of multi-mount */ len = strlen(root); if (root[len - 1] == '/') { - realpath = alloca(strlen(ap->path) + name_len + 2); - mountpoint = alloca(len + 1); strcpy(realpath, ap->path); strcat(realpath, "/"); strcat(realpath, name); @@ -71,8 +70,6 @@ int mount_mount(struct autofs_point *ap, strncpy(mountpoint, root, len); mountpoint[len] = '\0'; } else if (*name == '/') { - realpath = alloca(name_len + 1); - mountpoint = alloca(len + 1); if (ap->flags & MOUNT_FLAG_REMOUNT) { strcpy(mountpoint, name); strcpy(realpath, name); @@ -81,8 +78,6 @@ int mount_mount(struct autofs_point *ap, strcpy(realpath, name); } } else { - realpath = alloca(len + name_len + 2); - mountpoint = alloca(len + name_len + 2); strcpy(mountpoint, root); strcat(mountpoint, "/"); strcpy(realpath, mountpoint); --- autofs-5.0.4.orig/modules/mount_bind.c +++ autofs-5.0.4/modules/mount_bind.c @@ -81,8 +81,12 @@ int mount_mount(struct autofs_point *ap, len = strlen(root); if (root[len - 1] == '/') { len = snprintf(fullpath, len, "%s", root); - /* Direct mount name is absolute path so don't use root */ } else if (*name == '/') { + /* + * Direct or offset mount, name is absolute path so + * don't use root (but with move mount changes root + * is now the same as name). + */ len = sprintf(fullpath, "%s", root); } else { len = sprintf(fullpath, "%s/%s", root, name); --- autofs-5.0.4.orig/modules/mount_changer.c +++ autofs-5.0.4/modules/mount_changer.c @@ -58,8 +58,12 @@ int mount_mount(struct autofs_point *ap, len = strlen(root); if (root[len - 1] == '/') { len = snprintf(fullpath, len, "%s", root); - /* Direct mount name is absolute path so don't use root */ } else if (*name == '/') { + /* + * Direct or offset mount, name is absolute path so + * don't use root (but with move mount changes root + * is now the same as name). + */ len = sprintf(fullpath, "%s", root); } else { len = sprintf(fullpath, "%s/%s", root, name); --- autofs-5.0.4.orig/modules/mount_ext2.c +++ autofs-5.0.4/modules/mount_ext2.c @@ -50,8 +50,12 @@ int mount_mount(struct autofs_point *ap, len = strlen(root); if (root[len - 1] == '/') { len = snprintf(fullpath, len, "%s", root); - /* Direct mount name is absolute path so don't use root */ } else if (*name == '/') { + /* + * Direct or offset mount, name is absolute path so + * don't use root (but with move mount changes root + * is now the same as name). + */ len = sprintf(fullpath, "%s", root); } else { len = sprintf(fullpath, "%s/%s", root, name); --- autofs-5.0.4.orig/modules/mount_generic.c +++ autofs-5.0.4/modules/mount_generic.c @@ -49,8 +49,12 @@ int mount_mount(struct autofs_point *ap, len = strlen(root); if (root[len - 1] == '/') { len = snprintf(fullpath, len, "%s", root); - /* Direct mount name is absolute path so don't use root */ } else if (*name == '/') { + /* + * Direct or offset mount, name is absolute path so + * don't use root (but with move mount changes root + * is now the same as name). + */ len = sprintf(fullpath, "%s", root); } else { len = sprintf(fullpath, "%s/%s", root, name); --- autofs-5.0.4.orig/modules/mount_nfs.c +++ autofs-5.0.4/modules/mount_nfs.c @@ -58,7 +58,8 @@ int mount_mount(struct autofs_point *ap, const char *what, const char *fstype, const char *options, void *context) { - char *fullpath, buf[MAX_ERR_BUF]; + char fullpath[PATH_MAX]; + char buf[MAX_ERR_BUF]; struct host *this, *hosts = NULL; unsigned int vers; char *nfsoptions = NULL; @@ -150,14 +151,15 @@ int mount_mount(struct autofs_point *ap, /* Root offset of multi-mount */ len = strlen(root); if (root[len - 1] == '/') { - fullpath = alloca(len); len = snprintf(fullpath, len, "%s", root); - /* Direct mount name is absolute path so don't use root */ } else if (*name == '/') { - fullpath = alloca(len + 1); + /* + * Direct or offset mount, name is absolute path so + * don't use root (but with move mount changes root + * is now the same as name). + */ len = sprintf(fullpath, "%s", root); } else { - fullpath = alloca(len + name_len + 2); len = sprintf(fullpath, "%s/%s", root, name); } fullpath[len] = '\0';