diff options
author | Ian Kent <raven@themaw.net> | 2021-09-01 13:36:59 +0800 |
---|---|---|
committer | Ian Kent <raven@themaw.net> | 2021-09-13 12:25:55 +0800 |
commit | 0d7fad44e5fedd40fd5c3829e37ce524412e8627 (patch) | |
tree | d6b52346197b2fa8aa1fd505846f149182e15809 | |
parent | ef354e58836d2be9c3c3d1e75cfd7322b7773ad6 (diff) | |
download | autofs-0d7fad44e5fedd40fd5c3829e37ce524412e8627.tar.gz |
autofs-5.1.7 - add mapent path length check in handle_packet_expire_direct()
Since direct mount expire requests from the kernel need to look up their
map entry and copy the path to a request processing struct fix length
char array the copy length should be checked.
Signed-off-by: Ian Kent <raven@themaw.net>
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | daemon/direct.c | 12 |
2 files changed, 9 insertions, 4 deletions
@@ -83,6 +83,7 @@ - use default stack size for threads. - fix use of possibly NULL var in lookup_program.c:match_key(). - fix incorrect print format specifiers in get_pkt(). +- add mapent path length check in handle_packet_expire_direct(). 25/01/2021 autofs-5.1.7 - make bind mounts propagation slave by default. diff --git a/daemon/direct.c b/daemon/direct.c index d37dd676..4a56486b 100644 --- a/daemon/direct.c +++ b/daemon/direct.c @@ -1039,13 +1039,18 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di map = map->next; } - if (!me) { + if (!me || me->len >= PATH_MAX) { /* * Shouldn't happen as we have been sent this following * successful thread creation and lookup. */ - crit(ap->logopt, "can't find map entry for (%lu,%lu)", - (unsigned long) pkt->dev, (unsigned long) pkt->ino); + if (!me) + crit(ap->logopt, "can't find map entry for (%lu,%lu)", + (unsigned long) pkt->dev, (unsigned long) pkt->ino); + else { + cache_unlock(mc); + crit(ap->logopt, "lookup key is too long"); + } master_source_unlock(ap->entry); pthread_setcancelstate(state, NULL); return 1; @@ -1091,7 +1096,6 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di mt->ap = ap; mt->ioctlfd = me->ioctlfd; mt->mc = mc; - /* TODO: check length here */ strcpy(mt->name, me->key); mt->dev = me->dev; mt->type = NFY_EXPIRE; |