You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 lines
1.5 KiB
55 lines
1.5 KiB
autofs-5.1.4 - fix use after free in do_master_list_reset() |
|
|
|
From: Ian Kent <raven@themaw.net> |
|
|
|
Umm ... list_for_each() can't be used in do_master_list_reset() because |
|
the subject entry of the loop is removed for the list within the loop |
|
body. Therefore it can't be used to calculate the next pointer within a |
|
for (...) loop. |
|
|
|
There is no list_for_each_safe() macro in the list.h of autofs so it |
|
needs to be done manually. |
|
|
|
Signed-off-by: Ian Kent <raven@themaw.net> |
|
--- |
|
CHANGELOG | 1 + |
|
daemon/automount.c | 8 ++++++-- |
|
2 files changed, 7 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/CHANGELOG b/CHANGELOG |
|
index 4cb23f2..6cd3029 100644 |
|
--- a/CHANGELOG |
|
+++ b/CHANGELOG |
|
@@ -289,6 +289,7 @@ |
|
- fix open calls not using open_xxxx() calls. |
|
- move open_xxxx() functions to spawn.c. |
|
- serialize calls to open_xxxx() functions. |
|
+- fix use after free in do_master_list_reset(). |
|
|
|
25/07/2012 autofs-5.0.7 |
|
======================= |
|
diff --git a/daemon/automount.c b/daemon/automount.c |
|
index d96cd35..1a61b90 100644 |
|
--- a/daemon/automount.c |
|
+++ b/daemon/automount.c |
|
@@ -2075,14 +2075,18 @@ static void remove_empty_args(char **argv, int *argc) |
|
|
|
static void do_master_list_reset(struct master *master) |
|
{ |
|
- struct list_head *head, *p; |
|
+ struct list_head *head, *p, *n; |
|
|
|
master_mutex_lock(); |
|
|
|
head = &master->mounts; |
|
- list_for_each(p, head) { |
|
+ n = head->next; |
|
+ while (n != head) { |
|
struct master_mapent *entry; |
|
|
|
+ p = n; |
|
+ n = p->next; |
|
+ |
|
entry = list_entry(p, struct master_mapent, list); |
|
|
|
if (!list_empty(&entry->list))
|
|
|