autofs-5.1.7 - add mapent path length check in handle_packet_expire_direct()

Since direct mount expire requests from the kernel need to look up their
map entry and copy the path to a request processing struct fix length
char array the copy length should be checked.

Signed-off-by: Ian Kent <raven@themaw.net>

2 files changed, 9 insertions, 4 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 0dac7318..5fdb4c0a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -83,6 +83,7 @@
 - use default stack size for threads.
 - fix use of possibly NULL var in lookup_program.c:match_key().
 - fix incorrect print format specifiers in get_pkt().
+- add mapent path length check in handle_packet_expire_direct().
 
 25/01/2021 autofs-5.1.7
 - make bind mounts propagation slave by default.
diff --git a/daemon/direct.c b/daemon/direct.c
index d37dd676..4a56486b 100644
--- a/daemon/direct.c
+++ b/daemon/direct.c
@@ -1039,13 +1039,18 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di
 		map = map->next;
 	}
 
-	if (!me) {
+	if (!me || me->len >= PATH_MAX) {
 		/*
 		 * Shouldn't happen as we have been sent this following
 		 * successful thread creation and lookup.
 		 */
-		crit(ap->logopt, "can't find map entry for (%lu,%lu)",
-		    (unsigned long) pkt->dev, (unsigned long) pkt->ino);
+		if (!me)
+			crit(ap->logopt, "can't find map entry for (%lu,%lu)",
+			    (unsigned long) pkt->dev, (unsigned long) pkt->ino);
+		else {
+			cache_unlock(mc);
+			crit(ap->logopt, "lookup key is too long");
+		}
 		master_source_unlock(ap->entry);
 		pthread_setcancelstate(state, NULL);
 		return 1;
@@ -1091,7 +1096,6 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di
 	mt->ap = ap;
 	mt->ioctlfd = me->ioctlfd;
 	mt->mc = mc;
-	/* TODO: check length here */
 	strcpy(mt->name, me->key);
 	mt->dev = me->dev;
 	mt->type = NFY_EXPIRE;