Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 130701790bf2d95e902edf16031ff596 > files > 152

autofs-5.0.1-0.rc2.164.el5_8.src.rpm

--- autofs-5.0.1/modules/lookup_yp.c.fix-use-after-free	2006-09-01 13:29:50.000000000 +0800
+++ autofs-5.0.1/modules/lookup_yp.c	2006-11-25 13:27:05.000000000 +0800
@@ -128,8 +128,12 @@ int lookup_init(const char *mapfmt, int 
 	/* This should, but doesn't, take a const char ** */
 	err = yp_get_default_domain((char **) &ctxt->domainname);
 	if (err) {
+		size_t len = strlen(ctxt->mapname);
+		char *name = alloca(len + 1);
+		memcpy(name, ctxt->mapname, len);
+		name[len] = '\0';
 		free(ctxt);
-		debug(LOGOPT_NONE, MODPREFIX "map %s: %s", ctxt->mapname,
+		debug(LOGOPT_NONE, MODPREFIX "map %s: %s", name,
 		       yperr_string(err));
 		return 1;
 	}
--- autofs-5.0.1/lib/cache.c.fix-use-after-free	2006-09-01 13:29:50.000000000 +0800
+++ autofs-5.0.1/lib/cache.c	2006-11-25 13:27:05.000000000 +0800
@@ -351,6 +351,9 @@ struct mapent *cache_lookup(struct mapen
 {
 	struct mapent *me = NULL;
 
+	if (!key)
+		return NULL;
+
 	for (me = mc->hash[hash(key)]; me != NULL; me = me->next) {
 		if (strcmp(key, me->key) == 0)
 			goto done;
@@ -377,6 +380,9 @@ struct mapent *cache_lookup_distinct(str
 {
 	struct mapent *me;
 
+	if (!key)
+		return NULL;
+
 	for (me = mc->hash[hash(key)]; me != NULL; me = me->next) {
 		if (strcmp(key, me->key) == 0)
 			return me;
@@ -659,6 +665,14 @@ int cache_delete(struct mapent_cache *mc
 	struct mapent *me = NULL, *pred;
 	unsigned int hashval = hash(key);
 	int status, ret = CHE_OK;
+	char *this;
+
+	this = alloca(strlen(key) + 1);
+	if (!this) {
+		ret = CHE_FAIL;
+		goto done;
+	}
+	strcpy(this, key);
 
 	me = mc->hash[hashval];
 	if (!me) {
@@ -669,7 +683,7 @@ int cache_delete(struct mapent_cache *mc
 	while (me->next != NULL) {
 		pred = me;
 		me = me->next;
-		if (strcmp(key, me->key) == 0) {
+		if (strcmp(this, me->key) == 0) {
 			if (me->multi && !list_empty(&me->multi_list)) {
 				ret = CHE_FAIL;
 				goto done;
@@ -693,7 +707,7 @@ int cache_delete(struct mapent_cache *mc
 	if (!me)
 		goto done;
 
-	if (strcmp(key, me->key) == 0) {
+	if (strcmp(this, me->key) == 0) {
 		if (me->multi && !list_empty(&me->multi_list)) {
 			ret = CHE_FAIL;
 			goto done;
--- autofs-5.0.1/CHANGELOG.fix-use-after-free	2006-11-25 13:25:17.000000000 +0800
+++ autofs-5.0.1/CHANGELOG	2006-11-25 13:27:05.000000000 +0800
@@ -39,6 +39,7 @@
 - fix tokenizer to distinguish between global option and dn string.
 - fix incorrect return from spawn (Gordon Lack).
 - fix parsing of bad mount mount point in master map.
+- fix use after free memory access in cache.c and lookup_yp.c.
 
 1/9/2006 autofs-5.0.1 rc2
 -------------------------

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional