The key field of the map entry of the root of the map entry tree to be
deleted can't be used for the key parameter, fix it.
Signed-off-by: Ian Kent <raven@xxxxxxxxxx>
---
CHANGELOG | 1 +
lib/mounts.c | 16 +++++++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 53831d48..8d846d32 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@
- fix loop under run in cache_get_offset_parent().
- fix nfsv4 only mounts should not use rpcbind.
- simplify cache_add() a little.
+- fix use after free in tree_mapent_delete_offset_tree().
19/10/2021 autofs-5.1.8
- add xdr_exports().
diff --git a/lib/mounts.c b/lib/mounts.c
index 451849a6..c731f464 100644
--- a/lib/mounts.c
+++ b/lib/mounts.c
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tree(struct tree_node *root)
*/
if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
struct tree_node *root = MAPENT_ROOT(me);
+ char *key;
- debug(logopt, "deleting offset key %s", me->key);
+ key = strdup(me->key);
+ if (!key) {
+ char buf[MAX_ERR_BUF];
+ char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+ error(logopt, "strdup: %s", estr);
+ return 0;
+ }
+
+ debug(logopt, "deleting offset key %s", key);
/* cache_delete won't delete an active offset */
MAPENT_SET_ROOT(me, NULL);
- ret = cache_delete(me->mc, me->key);
+ ret = cache_delete(me->mc, key);
if (ret != CHE_OK) {
MAPENT_SET_ROOT(me, root);
- warn(logopt, "failed to delete offset %s", me->key);
+ warn(logopt, "failed to delete offset %s", key);
}
+ free(key);
} else {
MAPENT_SET_ROOT(me, NULL);
MAPENT_SET_PARENT(me, NULL);
