On Tue, 2020-09-08 at 12:02 +0200, Paul Menzel wrote: > Dear Helge, > > > Thank you very much for your patch. > > Am 08.09.20 um 11:54 schrieb Helge Deller: > > In sun_mount() the the variable np gets initialized to an alloca() > > s/the the/the/ > > > memory area: > > np = noptions = alloca(); > > Later on, at the end of a loop, it may get accessed like this: > > *(np - 1) = '\0'; > > > > If np hasn't been increased in between those lines, this access > > triggers > > an out-of-bounds access which overwrites stack area and on the > > parisc > > architecture segfaults the automount executable as desribed in the > > Debian > > described > > > bugzilla #892953. > > Debian just calls it Debian BTS. > > > The patch below adds the necessary check and thus fixes the crash. > > > > Signed-off-by: Helge Deller <deller@xxxxxx> > > Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892953 > > > > diff -up ./modules/parse_sun.c.org ./modules/parse_sun.c > > --- ./modules/parse_sun.c.org 2020-09-08 09:13:03.843105425 > > +0000 > > +++ ./modules/parse_sun.c 2020-09-08 09:16:49.321534049 +0000 > > @@ -575,8 +575,9 @@ static int sun_mount(struct autofs_point > > if (np > noptions + len) { > > warn(ap->logopt, MODPREFIX "options string > > truncated"); > > np[len] = '\0'; > > - } else > > + } else if (np > noptions) { > > *(np - 1) = '\0'; > > + } > > > > options = noptions; > > } > > Reviewed-by: Paul Menzel <pmenzel@xxxxxxxxxxxxx> Thank you both for the patch and review. I have added it to my patch queue and will commit and push it to the repo. the next time I do a push. Could be a little while before I do that though ... Ian
