In sun_mount() the the variable np gets initialized to an alloca() memory area: np = noptions = alloca(); Later on, at the end of a loop, it may get accessed like this: *(np - 1) = '\0'; If np hasn't been increased in between those lines, this access triggers an out-of-bounds access which overwrites stack area and on the parisc architecture segfaults the automount executable as desribed in the Debian bugzilla #892953. The patch below adds the necessary check and thus fixes the crash. Signed-off-by: Helge Deller <deller@xxxxxx> Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892953 diff -up ./modules/parse_sun.c.org ./modules/parse_sun.c --- ./modules/parse_sun.c.org 2020-09-08 09:13:03.843105425 +0000 +++ ./modules/parse_sun.c 2020-09-08 09:16:49.321534049 +0000 @@ -575,8 +575,9 @@ static int sun_mount(struct autofs_point if (np > noptions + len) { warn(ap->logopt, MODPREFIX "options string truncated"); np[len] = '\0'; - } else + } else if (np > noptions) { *(np - 1) = '\0'; + } options = noptions; }
