You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56 lines
1.5 KiB
56 lines
1.5 KiB
7 years ago
|
autofs-5.1.4 - fix use after free in do_master_list_reset()
|
||
|
|
||
|
From: Ian Kent <raven@themaw.net>
|
||
|
|
||
|
Umm ... list_for_each() can't be used in do_master_list_reset() because
|
||
|
the subject entry of the loop is removed for the list within the loop
|
||
|
body. Therefore it can't be used to calculate the next pointer within a
|
||
|
for (...) loop.
|
||
|
|
||
|
There is no list_for_each_safe() macro in the list.h of autofs so it
|
||
|
needs to be done manually.
|
||
|
|
||
|
Signed-off-by: Ian Kent <raven@themaw.net>
|
||
|
---
|
||
|
CHANGELOG | 1 +
|
||
|
daemon/automount.c | 8 ++++++--
|
||
|
2 files changed, 7 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/CHANGELOG b/CHANGELOG
|
||
|
index 4cb23f2..6cd3029 100644
|
||
|
--- a/CHANGELOG
|
||
|
+++ b/CHANGELOG
|
||
|
@@ -289,6 +289,7 @@
|
||
|
- fix open calls not using open_xxxx() calls.
|
||
|
- move open_xxxx() functions to spawn.c.
|
||
|
- serialize calls to open_xxxx() functions.
|
||
|
+- fix use after free in do_master_list_reset().
|
||
|
|
||
|
25/07/2012 autofs-5.0.7
|
||
|
=======================
|
||
|
diff --git a/daemon/automount.c b/daemon/automount.c
|
||
|
index d96cd35..1a61b90 100644
|
||
|
--- a/daemon/automount.c
|
||
|
+++ b/daemon/automount.c
|
||
|
@@ -2075,14 +2075,18 @@ static void remove_empty_args(char **argv, int *argc)
|
||
|
|
||
|
static void do_master_list_reset(struct master *master)
|
||
|
{
|
||
|
- struct list_head *head, *p;
|
||
|
+ struct list_head *head, *p, *n;
|
||
|
|
||
|
master_mutex_lock();
|
||
|
|
||
|
head = &master->mounts;
|
||
|
- list_for_each(p, head) {
|
||
|
+ n = head->next;
|
||
|
+ while (n != head) {
|
||
|
struct master_mapent *entry;
|
||
|
|
||
|
+ p = n;
|
||
|
+ n = p->next;
|
||
|
+
|
||
|
entry = list_entry(p, struct master_mapent, list);
|
||
|
|
||
|
if (!list_empty(&entry->list))
|