- update with latest upstream patches.

autofs-5.1.7-add-buffer-length-check-to-rmdir_path.patch

@@ -0,0 +1,51 @@
+autofs-5.1.7 - add buffer length check to rmdir_path()
+
+From: Ian Kent <raven@themaw.net>
+
+Add a length check before copying the incoming path string to the work
+buffer.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG          |    1 +
+ daemon/automount.c |    8 ++++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index ded0f00f..38304720 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -86,6 +86,7 @@
+ - add mapent path length check in handle_packet_expire_direct().
+ - add copy length check in umount_autofs_indirect().
+ - add some buffer length checks to master map parser.
++- add buffer length check to rmdir_path().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/automount.c b/daemon/automount.c
+index 45e0833f..114b013a 100644
+--- a/daemon/automount.c
++++ b/daemon/automount.c
+@@ -241,15 +241,19 @@ int mkdir_path(const char *path, mode_t mode)
+ int rmdir_path(struct autofs_point *ap, const char *path, dev_t dev)
+ {
+ 	int len = strlen(path);
+-	char buf[PATH_MAX];
++	char buf[PATH_MAX + 1];
+ 	char *cp;
+ 	int first = 1;
+ 	struct stat st;
+ 	struct statfs fs;
+ 
++	if (len > PATH_MAX) {
++		error(ap->logopt, "path longer than maximum length");
++		return -1;
++	}
+ 	strcpy(buf, path);
+-	cp = buf + len;
+ 
++	cp = buf + len;
+ 	do {
+ 		*cp = '\0';
+ 

autofs-5.1.7-add-buffer-length-checks-to-autofs-mount_mount.patch

@@ -0,0 +1,108 @@
+autofs-5.1.7 - add buffer length checks to autofs mount_mount()
+
+From: Ian Kent <raven@themaw.net>
+
+
+---
+ CHANGELOG              |    1 +
+ modules/mount_autofs.c |   59 +++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6ab4813d..17926916 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -88,6 +88,7 @@
+ - add some buffer length checks to master map parser.
+ - add buffer length check to rmdir_path().
+ - eliminate buffer usage from handle_mounts_cleanup().
++- add buffer length checks to autofs mount_mount().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/modules/mount_autofs.c b/modules/mount_autofs.c
+index 0bcbb343..b2233573 100644
+--- a/modules/mount_autofs.c
++++ b/modules/mount_autofs.c
+@@ -50,8 +50,8 @@ int mount_mount(struct autofs_point *ap, const char *root, const char *name,
+ {
+ 	struct startup_cond suc;
+ 	pthread_t thid;
+-	char realpath[PATH_MAX];
+-	char mountpoint[PATH_MAX];
++	char realpath[PATH_MAX + 1];
++	char mountpoint[PATH_MAX + 1];
+ 	const char **argv;
+ 	int argc, status;
+ 	int nobind = ap->flags & MOUNT_FLAG_NOBIND;
+@@ -68,32 +68,53 @@ int mount_mount(struct autofs_point *ap, const char *root, const char *name,
+ 	struct mnt_list *mnt;
+ 	char buf[MAX_ERR_BUF];
+ 	char *options, *p;
+-	int len, ret;
++	int err, ret;
+ 	int hosts = 0;
+ 
+ 	/* Root offset of multi-mount */
+-	len = strlen(root);
+-	if (root[len - 1] == '/') {
+-		strcpy(realpath, ap->path);
+-		strcat(realpath, "/");
+-		strcat(realpath, name);
+-		len--;
+-		strncpy(mountpoint, root, len);
+-		mountpoint[len] = '\0';
++	if (root[strlen(root) - 1] == '/') {
++		err = snprintf(realpath, PATH_MAX + 1, "%s/%s", ap->path, name);
++		if (err > PATH_MAX) {
++			error(ap->logopt, MODPREFIX "string too long for realpath");
++			return 1;
++		}
++		err = snprintf(mountpoint, PATH_MAX + 1, "%s", root);
++		if (err > PATH_MAX) {
++			error(ap->logopt, MODPREFIX "string too long for mountpoint");
++			return 1;
++		}
++		mountpoint[err - 1] = 0;
+ 	} else if (*name == '/') {
+ 		if (ap->flags & MOUNT_FLAG_REMOUNT) {
+-			strcpy(mountpoint, name);
+-			strcpy(realpath, name);
++			err = snprintf(mountpoint, PATH_MAX + 1, "%s", name);
++			if (err > PATH_MAX) {
++				error(ap->logopt, MODPREFIX "string too long for mountpoint");
++				return 1;
++			}
++			err = snprintf(realpath, PATH_MAX + 1, "%s", name);
++			if (err > PATH_MAX) {
++				error(ap->logopt, MODPREFIX "string too long for realpath");
++				return 1;
++			}
+ 		} else {
+-			strcpy(mountpoint, root);
+-			strcpy(realpath, name);
++			err = snprintf(mountpoint, PATH_MAX + 1, "%s", root);
++			if (err > PATH_MAX) {
++				error(ap->logopt, MODPREFIX "string too long for mountpoint");
++				return 1;
++			}
++			err = snprintf(realpath, PATH_MAX + 1, "%s", name);
++			if (err > PATH_MAX) {
++				error(ap->logopt, MODPREFIX "string too long for realpath");
++				return 1;
++			}
+ 		}
+ 	} else {
+-		strcpy(mountpoint, root);
+-		strcat(mountpoint, "/");
++		err = snprintf(mountpoint, PATH_MAX + 1, "%s/%s", root, name);
++		if (err > PATH_MAX) {
++			error(ap->logopt, MODPREFIX "string too long for mountpoint");
++			return 1;
++		}
+ 		strcpy(realpath, mountpoint);
+-		strcat(mountpoint, name);
+-		strcat(realpath, name);
+ 	}
+ 
+ 	options = NULL;

autofs-5.1.7-add-copy-length-check-in-umount_autofs_indirect.patch

@@ -0,0 +1,51 @@
+autofs-5.1.7 - add copy length check in umount_autofs_indirect()
+
+From: Ian Kent <raven@themaw.net>
+
+Add a source length check before copying to a work buffer in
+umount_autofs_indirect().
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG         |    1 +
+ daemon/indirect.c |   13 +++++++++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 5fdb4c0a..be0b9d85 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -84,6 +84,7 @@
+ - fix use of possibly NULL var in lookup_program.c:match_key().
+ - fix incorrect print format specifiers in get_pkt().
+ - add mapent path length check in handle_packet_expire_direct().
++- add copy length check in umount_autofs_indirect().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/indirect.c b/daemon/indirect.c
+index 9f2ca6a0..b73c2781 100644
+--- a/daemon/indirect.c
++++ b/daemon/indirect.c
+@@ -238,10 +238,19 @@ int umount_autofs_indirect(struct autofs_point *ap, const char *root)
+ 	int rv, retries;
+ 	unsigned int unused;
+ 
+-	if (root)
++	if (root) {
++		if (strlen(root) > PATH_MAX) {
++			error(ap->logopt, "mountpoint path too long");
++			return 1;
++		}
+ 		strcpy(mountpoint, root);
+-	else
++	} else {
++		if (ap->len > PATH_MAX) {
++			error(ap->logopt, "mountpoint path too long");
++			return 1;
++		}
+ 		strcpy(mountpoint, ap->path);
++	}
+ 
+ 	/* If we are trying to shutdown make sure we can umount */
+ 	rv = ops->askumount(ap->logopt, ap->ioctlfd, &unused);

autofs-5.1.7-add-mapent-path-length-check-in-handle_packet_expire_direct.patch

@@ -0,0 +1,60 @@
+autofs-5.1.7 - add mapent path length check in handle_packet_expire_direct()
+
+From: Ian Kent <raven@themaw.net>
+
+Since direct mount expire requests from the kernel need to look up their
+map entry and copy the path to a request processing struct fix length
+char array the copy length should be checked.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG       |    1 +
+ daemon/direct.c |   12 ++++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 0dac7318..5fdb4c0a 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -83,6 +83,7 @@
+ - use default stack size for threads.
+ - fix use of possibly NULL var in lookup_program.c:match_key().
+ - fix incorrect print format specifiers in get_pkt().
++- add mapent path length check in handle_packet_expire_direct().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/direct.c b/daemon/direct.c
+index d37dd676..4a56486b 100644
+--- a/daemon/direct.c
++++ b/daemon/direct.c
+@@ -1039,13 +1039,18 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di
+ 		map = map->next;
+ 	}
+ 
+-	if (!me) {
++	if (!me || me->len >= PATH_MAX) {
+ 		/*
+ 		 * Shouldn't happen as we have been sent this following
+ 		 * successful thread creation and lookup.
+ 		 */
+-		crit(ap->logopt, "can't find map entry for (%lu,%lu)",
+-		    (unsigned long) pkt->dev, (unsigned long) pkt->ino);
++		if (!me)
++			crit(ap->logopt, "can't find map entry for (%lu,%lu)",
++			    (unsigned long) pkt->dev, (unsigned long) pkt->ino);
++		else {
++			cache_unlock(mc);
++			crit(ap->logopt, "lookup key is too long");
++		}
+ 		master_source_unlock(ap->entry);
+ 		pthread_setcancelstate(state, NULL);
+ 		return 1;
+@@ -1091,7 +1096,6 @@ int handle_packet_expire_direct(struct autofs_point *ap, autofs_packet_expire_di
+ 	mt->ap = ap;
+ 	mt->ioctlfd = me->ioctlfd;
+ 	mt->mc = mc;
+-	/* TODO: check length here */
+ 	strcpy(mt->name, me->key);
+ 	mt->dev = me->dev;
+ 	mt->type = NFY_EXPIRE;

autofs-5.1.7-add-some-buffer-length-checks-to-master-map-parser.patch

@@ -0,0 +1,257 @@
+autofs-5.1.7 - add some buffer length checks to master map parser
+
+From: Ian Kent <raven@themaw.net>
+
+Add some checks for buffer overflow to the master map parser.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG             |    1 +
+ daemon/master_parse.y |   38 +++++++++++++++-----------
+ daemon/master_tok.l   |   73 ++++++++++++++++++++++++++++++++++++++++++++-----
+ 3 files changed, 88 insertions(+), 24 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index be0b9d85..ded0f00f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -85,6 +85,7 @@
+ - fix incorrect print format specifiers in get_pkt().
+ - add mapent path length check in handle_packet_expire_direct().
+ - add copy length check in umount_autofs_indirect().
++- add some buffer length checks to master map parser.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/master_parse.y b/daemon/master_parse.y
+index 7480c36a..2d78f082 100644
+--- a/daemon/master_parse.y
++++ b/daemon/master_parse.y
+@@ -29,6 +29,7 @@
+ #include "master.h"
+ 
+ #define MAX_ERR_LEN	512
++#define STRTYPE_LEN	2048
+ 
+ extern struct master *master_list;
+ 
+@@ -79,6 +80,7 @@ static int local_argc;
+ static unsigned int propagation;
+ 
+ static char errstr[MAX_ERR_LEN];
++static int errlen;
+ 
+ static unsigned int verbose;
+ static unsigned int debug;
+@@ -521,10 +523,11 @@ dnattrs: DNATTR EQUAL DNNAME
+ 		    strcasecmp($1, "ou") &&
+ 		    strcasecmp($1, "automountMapName") &&
+ 		    strcasecmp($1, "nisMapName")) {
+-			strcpy(errstr, $1);
+-			strcat(errstr, "=");
+-			strcat(errstr, $3);
+-			master_notify(errstr);
++			errlen = snprintf(errstr, MAX_ERR_LEN, "%s=%s", $1, $3);
++			if (errlen < MAX_ERR_LEN)
++				master_notify(errstr);
++			else
++				master_notify("error string too long");
+ 			YYABORT;
+ 		}
+ 		strcpy($$, $1);
+@@ -537,10 +540,11 @@ dnattrs: DNATTR EQUAL DNNAME
+ 		    strcasecmp($1, "ou") &&
+ 		    strcasecmp($1, "automountMapName") &&
+ 		    strcasecmp($1, "nisMapName")) {
+-			strcpy(errstr, $1);
+-			strcat(errstr, "=");
+-			strcat(errstr, $3);
+-			master_notify(errstr);
++			errlen = snprintf(errstr, MAX_ERR_LEN, "%s=%s", $1, $3);
++			if (errlen < MAX_ERR_LEN)
++				master_notify(errstr);
++			else
++				master_notify("error string too long");
+ 			YYABORT;
+ 		}
+ 		strcpy($$, $1);
+@@ -565,10 +569,11 @@ dnattr: DNATTR EQUAL DNNAME
+ 	{
+ 		if (!strcasecmp($1, "automountMapName") ||
+ 		    !strcasecmp($1, "nisMapName")) {
+-			strcpy(errstr, $1);
+-			strcat(errstr, "=");
+-			strcat(errstr, $3);
+-			master_notify(errstr);
++			errlen = snprintf(errstr, MAX_ERR_LEN, "%s=%s", $1, $3);
++			if (errlen < MAX_ERR_LEN)
++				master_notify(errstr);
++			else
++				master_notify("error string too long");
+ 			YYABORT;
+ 		}
+ 		strcpy($$, $1);
+@@ -579,10 +584,11 @@ dnattr: DNATTR EQUAL DNNAME
+ 	{
+ 		if (!strcasecmp($1, "automountMapName") ||
+ 		    !strcasecmp($1, "nisMapName")) {
+-			strcpy(errstr, $1);
+-			strcat(errstr, "=");
+-			strcat(errstr, $3);
+-			master_notify(errstr);
++			errlen = snprintf(errstr, MAX_ERR_LEN, "%s=%s", $1, $3);
++			if (errlen < MAX_ERR_LEN)
++				master_notify(errstr);
++			else
++				master_notify("error string too long");
+ 			YYABORT;
+ 		}
+ 		strcpy($$, $1);
+diff --git a/daemon/master_tok.l b/daemon/master_tok.l
+index 87a6b958..e2d15bce 100644
+--- a/daemon/master_tok.l
++++ b/daemon/master_tok.l
+@@ -23,6 +23,7 @@
+ #endif /* ECHO */
+ static void master_echo(void);	/* forward definition */
+ #define ECHO master_echo()
++static void master_error(char *s);
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -80,6 +81,8 @@ char *bptr;
+ char *optr = buff;
+ unsigned int tlen;
+ 
++#define STRTYPE_LEN	2048
++
+ %}
+ 
+ %option nounput
+@@ -217,7 +220,13 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 			bptr += tlen;
+ 			yyless(tlen);
+ 		} else {
+-			strcpy(master_lval.strtype, master_text);
++			if (tlen <= STRTYPE_LEN)
++				strcpy(master_lval.strtype, master_text);
++			else {
++				master_error("MULTITYPE: value too large, truncated");
++				strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++				master_lval.strtype[STRTYPE_LEN - 1] = 0;
++			}
+ 			return(MULTITYPE);
+ 		}
+ 	}
+@@ -239,7 +248,13 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 			bptr += tlen;
+ 			yyless(tlen);
+ 		} else {
+-			strcpy(master_lval.strtype, master_text);
++			if (tlen <= STRTYPE_LEN)
++				strcpy(master_lval.strtype, master_text);
++			else {
++				master_error("MAPTYPE: value too large, truncated");
++				strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++				master_lval.strtype[STRTYPE_LEN - 1] = 0;
++			}
+ 			return(MAPTYPE);
+ 		}
+ 	}
+@@ -327,12 +342,24 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 	{OPTWS}\\\n{OPTWS} {}
+ 
+ 	{DNSERVERSTR} {
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("DNSERVER: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return DNSERVER;
+ 	}
+ 
+ 	{DNATTRSTR}/"=" {
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("DNATTR: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return DNATTR;
+ 	}
+ 
+@@ -341,12 +368,24 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 	}
+ 
+ 	{DNNAMESTR1}/","{DNATTRSTR}"=" {
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("DNNAME: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return DNNAME;
+ 	}
+ 
+ 	{DNNAMESTR2} {
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("DNNAME: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return DNNAME;
+ 	}
+ 
+@@ -357,7 +396,13 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 	{WS}"=" |
+ 	"="{WS} {
+ 		BEGIN(INITIAL);
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("SPACE: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return SPACE;
+ 	}
+ 
+@@ -419,7 +464,13 @@ MODE		(--mode{OPTWS}|--mode{OPTWS}={OPTWS})
+ 	}
+ 
+ 	{OPTIONSTR} {
+-		strcpy(master_lval.strtype, master_text);
++		if (master_leng < STRTYPE_LEN)
++			strcpy(master_lval.strtype, master_text);
++		else {
++			master_error("OPTION: value too large, truncated");
++			strncpy(master_lval.strtype, master_text, STRTYPE_LEN - 2);
++			master_lval.strtype[STRTYPE_LEN - 1] = 0;
++		}
+ 		return(OPTION);
+ 	}
+ 
+@@ -459,6 +510,12 @@ static void master_echo(void)
+ 	return;
+ }
+ 
++static void master_error(char *s)
++{
++	logmsg("%s");
++	return;
++}
++
+ #ifdef FLEX_SCANNER
+ 
+ void master_set_scan_buffer(const char *buffer)

autofs-5.1.7-also-require-TCP_REQUESTED-when-setting-NFS-port.patch

@@ -0,0 +1,38 @@
+autofs-5.1.7 - also require TCP_REQUESTED when setting NFS port
+
+From: Ian Kent <raven@themaw.net>
+
+Set the NFS service port to the default (2049) only if tcp protocol is
+being used and not alternate port has been given.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG            |    1 +
+ modules/replicated.c |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 5d2c2c88..fd5b800a 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -91,6 +91,7 @@
+ - add buffer length checks to autofs mount_mount().
+ - make NFS version check flags consistent.
+ - refactor get_nfs_info().
++- also require TCP_REQUESTED when setting NFS port.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/modules/replicated.c b/modules/replicated.c
+index e03c9d25..09075dd0 100644
+--- a/modules/replicated.c
++++ b/modules/replicated.c
+@@ -291,7 +291,7 @@ static unsigned int get_nfs_info(unsigned logopt, struct host *host,
+ 
+ 	rpc_info->proto = proto;
+ 	if (port < 0) {
+-		if (version & NFS4_REQUESTED)
++		if ((version & NFS4_REQUESTED) && (version & TCP_REQUESTED))
+ 			rpc_info->port = NFS_PORT;
+ 		else
+ 			port = 0;

autofs-5.1.7-eliminate-buffer-usage-from-handle_mounts_cleanup.patch

@@ -0,0 +1,86 @@
+autofs-5.1.7 - eliminate buffer usage from handle_mounts_cleanup()
+
+From: Ian Kent <raven@themaw.net>
+
+This buffer was originally added because a SEGV was seen accessing
+the ap->path field on shutdown.
+
+But this was actually caused by calling master_remove_mapent() too
+early which adds the map entry to the master map join list that leads
+to freeing the autofs_point (ap in the code) which also frees ap->path.
+
+But the master map join list is protected by the master map mutex which
+is held until after all the accesses are completed. So whatever the
+problem was it doesn't appear to be present any more.
+
+Nevertheless, to be sure, delay the call to master_remove_mapent() until
+after all accesses to ap->path are completed.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG          |    1 +
+ daemon/automount.c |   13 ++++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 38304720..6ab4813d 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -87,6 +87,7 @@
+ - add copy length check in umount_autofs_indirect().
+ - add some buffer length checks to master map parser.
+ - add buffer length check to rmdir_path().
++- eliminate buffer usage from handle_mounts_cleanup().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/automount.c b/daemon/automount.c
+index 114b013a..cc286892 100644
+--- a/daemon/automount.c
++++ b/daemon/automount.c
+@@ -1716,7 +1716,6 @@ void handle_mounts_startup_cond_destroy(void *arg)
+ static void handle_mounts_cleanup(void *arg)
+ {
+ 	struct autofs_point *ap;
+-	char path[PATH_MAX + 1];
+ 	char buf[MAX_ERR_BUF];
+ 	unsigned int clean = 0, submount, logopt;
+ 	unsigned int pending = 0;
+@@ -1726,7 +1725,6 @@ static void handle_mounts_cleanup(void *arg)
+ 	logopt = ap->logopt;
+ 	submount = ap->submount;
+ 
+-	strcpy(path, ap->path);
+ 	if (!submount && strcmp(ap->path, "/-") &&
+ 	    ap->flags & MOUNT_FLAG_DIR_CREATED)
+ 		clean = 1;
+@@ -1751,8 +1749,8 @@ static void handle_mounts_cleanup(void *arg)
+ 	/* Don't signal the handler if we have already done so */
+ 	if (!list_empty(&master_list->completed))
+ 		pending = 1;
+-	master_remove_mapent(ap->entry);
+-	master_source_unlock(ap->entry);
++
++	info(logopt, "shut down path %s", ap->path);
+ 
+ 	destroy_logpri_fifo(ap);
+ 
+@@ -1768,14 +1766,15 @@ static void handle_mounts_cleanup(void *arg)
+ 	}
+ 
+ 	if (clean) {
+-		if (rmdir(path) == -1) {
++		if (rmdir(ap->path) == -1) {
+ 			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+ 			warn(logopt, "failed to remove dir %s: %s",
+-			     path, estr);
++			     ap->path, estr);
+ 		}
+ 	}
+ 
+-	info(logopt, "shut down path %s", path);
++	master_remove_mapent(ap->entry);
++	master_source_unlock(ap->entry);
+ 
+ 	/*
+ 	 * If we are not a submount send a signal to the signal handler

autofs-5.1.7-fix-incorrect-print-format-specifiers.patch

@@ -0,0 +1,44 @@
+autofs-5.1.7 - fix incorrect print format specifiers in get_pkt()
+
+From: Ian Kent <raven@themaw.net>
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG          |    1 +
+ daemon/automount.c |    4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 680dbbd7..0dac7318 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -82,6 +82,7 @@
+ - eliminate some more alloca usage.
+ - use default stack size for threads.
+ - fix use of possibly NULL var in lookup_program.c:match_key().
++- fix incorrect print format specifiers in get_pkt().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/daemon/automount.c b/daemon/automount.c
+index d7432350..45e0833f 100644
+--- a/daemon/automount.c
++++ b/daemon/automount.c
+@@ -1116,7 +1116,7 @@ static int get_pkt(struct autofs_point *ap, union autofs_v5_packet_union *pkt)
+ 				estr = strerror_r(errno, buf, MAX_ERR_BUF);
+ 				error(ap->logopt,
+ 				      "read error on state pipe, "
+-				      "read %u, error %s",
++				      "read %lu, error %s",
+ 				      read, estr);
+ 				st_mutex_unlock();
+ 				continue;
+@@ -1134,7 +1134,7 @@ static int get_pkt(struct autofs_point *ap, union autofs_v5_packet_union *pkt)
+ 				estr = strerror_r(errno, buf, MAX_ERR_BUF);
+ 				error(ap->logopt,
+ 				      "read error on request pipe, "
+-				      "read %u, expected %u error %s",
++				      "read %lu, expected %lu error %s",
+ 				       read, kpkt_len, estr);
+ 			}
+ 			return read;

autofs-5.1.7-fix-use-of-possibly-NULL-var-in-lookup_program_c-match_key.patch

@@ -0,0 +1,43 @@
+autofs-5.1.7 - fix use of possibly NULL var in lookup_program.c:match_key()
+
+From: Ian Kent <raven@themaw.net>
+
+The lookup key used in match_key() should not be NULL.
+
+A check for a malloc() failure of the lookup key is missing in one of
+the two cases in match_key() so add it.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG                |    1 +
+ modules/lookup_program.c |    5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 61f3547a..680dbbd7 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -81,6 +81,7 @@
+ - fix concat_options() error handling.
+ - eliminate some more alloca usage.
+ - use default stack size for threads.
++- fix use of possibly NULL var in lookup_program.c:match_key().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/modules/lookup_program.c b/modules/lookup_program.c
+index 028580e5..691abedb 100644
+--- a/modules/lookup_program.c
++++ b/modules/lookup_program.c
+@@ -468,6 +468,11 @@ static int match_key(struct autofs_point *ap,
+ 
+ 	if (!is_amd_format) {
+ 		lkp_key = strdup(name);
++		if (!lkp_key) {
++			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
++			error(ap->logopt, MODPREFIX "malloc: %s", estr);
++			return NSS_STATUS_UNAVAIL;
++		}
+ 		lkp_len = name_len;
+ 	} else {
+ 		size_t len;

autofs-5.1.7-make-NFS-version-check-flags-consistent.patch

@@ -0,0 +1,69 @@
+autofs-5.1.7 - make NFS version check flags consistent
+
+From: Ian Kent <raven@themaw.net>
+
+Several of the NFS connection macros have the same value so that they
+can be used as internal code documentation of what is being done.
+
+Adjust the protocol macro naming to be consistent in a few places.
+
+Also make sure the correct flags are set for the function they indicate.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG           |    1 +
+ modules/mount_nfs.c |   16 +++++++++-------
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 17926916..c27973bb 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -89,6 +89,7 @@
+ - add buffer length check to rmdir_path().
+ - eliminate buffer usage from handle_mounts_cleanup().
+ - add buffer length checks to autofs mount_mount().
++- make NFS version check flags consistent.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/modules/mount_nfs.c b/modules/mount_nfs.c
+index 0314a78f..0ab87dcf 100644
+--- a/modules/mount_nfs.c
++++ b/modules/mount_nfs.c
+@@ -178,18 +178,20 @@ int mount_mount(struct autofs_point *ap, const char *root, const char *name, int
+ 						port = 0;
+ 				} else if (_strncmp("proto=udp", cp, o_len) == 0 ||
+ 					   _strncmp("udp", cp, o_len) == 0) {
+-					vers &= ~TCP_SUPPORTED;
++					vers &= ~TCP_REQUESTED;
++					vers |= UDP_REQUESTED;
+ 				} else if (_strncmp("proto=udp6", cp, o_len) == 0 ||
+ 					   _strncmp("udp6", cp, o_len) == 0) {
+-					vers &= ~TCP_SUPPORTED;
+-					vers |= UDP6_REQUESTED;
++					vers &= ~(TCP_REQUESTED|TCP6_REQUESTED);
++					vers |= (UDP_REQUESTED|UDP6_REQUESTED);
+ 				} else if (_strncmp("proto=tcp", cp, o_len) == 0 ||
+ 					   _strncmp("tcp", cp, o_len) == 0) {
+-					vers &= ~UDP_SUPPORTED;
++					vers &= ~UDP_REQUESTED;
++					vers |= TCP_REQUESTED;
+ 				} else if (_strncmp("proto=tcp6", cp, o_len) == 0 ||
+ 					   _strncmp("tcp6", cp, o_len) == 0) {
+-					vers &= ~UDP_SUPPORTED;
+-					vers |= TCP6_REQUESTED;
++					vers &= ~(UDP_REQUESTED|UDP6_REQUESTED);
++					vers |= TCP_REQUESTED|TCP6_REQUESTED;
+ 				}
+ 				/* Check for options that also make sense
+ 				   with bind mounts */
+@@ -246,7 +248,7 @@ int mount_mount(struct autofs_point *ap, const char *root, const char *name, int
+ 	    mount_default_proto == 4 &&
+ 	    (vers & NFS_VERS_MASK) != 0 &&
+ 	    (vers & NFS4_VERS_MASK) != 0 &&
+-	    !(vers & UDP6_REQUESTED)) {
++	    !(vers & (UDP_REQUESTED|UDP6_REQUESTED))) {
+ 		unsigned int v4_probe_ok = 0;
+ 		struct host *tmp = new_host(hosts->name, 0,
+ 					    hosts->addr, hosts->addr_len,

autofs-5.1.7-refactor-get_nfs_info.patch

@@ -0,0 +1,206 @@
+autofs-5.1.7 - refactor get_nfs_info()
+
+From: Ian Kent <raven@themaw.net>
+
+Make getting a portmap client and getting a service port from portmap
+helper functions and simplify the return handling.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG            |    1 
+ modules/replicated.c |  135 ++++++++++++++++++++++++++++----------------------
+ 2 files changed, 76 insertions(+), 60 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index c27973bb..5d2c2c88 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -90,6 +90,7 @@
+ - eliminate buffer usage from handle_mounts_cleanup().
+ - add buffer length checks to autofs mount_mount().
+ - make NFS version check flags consistent.
++- refactor get_nfs_info().
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+diff --git a/modules/replicated.c b/modules/replicated.c
+index ffaf519f..e03c9d25 100644
+--- a/modules/replicated.c
++++ b/modules/replicated.c
+@@ -223,6 +223,49 @@ void free_host_list(struct host **list)
+ 	*list = NULL;
+ }
+ 
++static unsigned int get_portmap_client(unsigned logopt,
++			struct conn_info *pm_info, struct host *host,
++			int proto)
++{
++	unsigned int status;
++
++	/* On success client is stored in pm_info->client */
++	status = rpc_portmap_getclient(pm_info,
++			host->name, host->addr, host->addr_len,
++			proto, RPC_CLOSE_DEFAULT);
++	if (status == -EHOSTUNREACH)
++		debug(logopt,
++		      "host not reachable getting portmap client");
++	else if (status)
++		debug(logopt, "error 0x%d getting portmap client");
++
++	return status;
++}
++
++static unsigned int get_portmap_port(unsigned logopt,
++		struct conn_info *pm_info, struct pmap *parms,
++		unsigned long vers, unsigned int version,
++		short unsigned int *port)
++{
++	unsigned int status;
++	short unsigned int nfs_port;
++
++	parms->pm_vers = vers;
++	status = rpc_portmap_getport(pm_info, parms, &nfs_port);
++	if (status == -EHOSTUNREACH || status == -ETIMEDOUT) {
++		debug(logopt,
++		      "host not reachable or timed out getting service port");
++	} else if (status < 0) {
++		if (!(version & NFS_VERS_MASK))
++			debug(logopt, "error 0x%d getting service port");
++	}
++
++	if (!status)
++		*port = nfs_port;
++
++	return status;
++}
++
+ static unsigned int get_nfs_info(unsigned logopt, struct host *host,
+ 			 struct conn_info *pm_info, struct conn_info *rpc_info,
+ 			 int proto, unsigned int version, int port)
+@@ -263,33 +306,20 @@ static unsigned int get_nfs_info(unsigned logopt, struct host *host,
+ 		goto v3_ver;
+ 
+ 	if (!port) {
+-		status = rpc_portmap_getclient(pm_info,
+-				host->name, host->addr, host->addr_len,
+-				proto, RPC_CLOSE_DEFAULT);
+-		if (status == -EHOSTUNREACH) {
+-			debug(logopt,
+-			      "host not reachable getting portmap client");
+-			supported = status;
+-			goto done_ver;
+-		} else if (status) {
+-			debug(logopt, "error 0x%d getting portmap client");
++		status = get_portmap_client(logopt, pm_info, host, proto);
++		if (status) {
++			if (status == -EHOSTUNREACH)
++				supported = status;
+ 			goto done_ver;
+ 		}
+-		parms.pm_vers = NFS4_VERSION;
+-		status = rpc_portmap_getport(pm_info, &parms, &rpc_info->port);
+-		if (status == -EHOSTUNREACH || status == -ETIMEDOUT) {
+-			debug(logopt,
+-			      "host not reachable or timed out getting service port");
+-			supported = status;
+-			goto done_ver;
+-		} else if (status < 0) {
+-			if (version & NFS_VERS_MASK)
++		status = get_portmap_port(logopt, pm_info, &parms,
++				NFS4_VERSION, version, &rpc_info->port);
++		if (status) {
++			if (status == -EHOSTUNREACH || status == -ETIMEDOUT)
++				supported = status;
++			if (status < 0 && version & NFS_VERS_MASK)
+ 				goto v3_ver; /* MOUNT_NFS_DEFAULT_PROTOCOL=4 */
+-			else {
+-				debug(logopt,
+-				      "error 0x%d getting service port");
+-				goto done_ver;
+-			}
++			goto done_ver;
+ 		}
+ 	}
+ 
+@@ -334,31 +364,22 @@ v3_ver:
+ 		goto v2_ver;
+ 
+ 	if (!port && !pm_info->client) {
+-		status = rpc_portmap_getclient(pm_info,
+-				host->name, host->addr, host->addr_len,
+-				proto, RPC_CLOSE_DEFAULT);
+-		if (status == -EHOSTUNREACH) {
+-			debug(logopt,
+-			      "host not reachable getting portmap client");
+-			supported = status;
+-			goto done_ver;
+-		} else if (status) {
+-			debug(logopt,
+-			      "error 0x%d getting getting portmap client");
++		status = get_portmap_client(logopt, pm_info, host, proto);
++		if (status) {
++			if (status == -EHOSTUNREACH)
++				supported = status;
+ 			goto done_ver;
+ 		}
+ 	}
+ 
+ 	if (!port) {
+-		parms.pm_vers = NFS3_VERSION;
+-		status = rpc_portmap_getport(pm_info, &parms, &rpc_info->port);
+-		if (status == -EHOSTUNREACH || status == -ETIMEDOUT) {
+-			debug(logopt,
+-			      "host not reachable or timed out getting service port");
+-			supported = status;
++		status = get_portmap_port(logopt, pm_info, &parms,
++				NFS3_VERSION, version, &rpc_info->port);
++		if (status) {
++			if (status == -EHOSTUNREACH || status == -ETIMEDOUT)
++				supported = status;
+ 			goto done_ver;
+-		} else if (status < 0)
+-			goto v2_ver;
++		}
+ 	}
+ 
+ 	if (rpc_info->proto == IPPROTO_UDP)
+@@ -399,28 +420,22 @@ v2_ver:
+ 		goto done_ver;
+ 
+ 	if (!port && !pm_info->client) {
+-		status = rpc_portmap_getclient(pm_info,
+-				host->name, host->addr, host->addr_len,
+-				proto, RPC_CLOSE_DEFAULT);
+-		if (status == -EHOSTUNREACH) {
+-			debug(logopt,
+-			      "host not reachable getting portmap client");
+-			supported = status;
+-			goto done_ver;
+-		} else if (status)
++		status = get_portmap_client(logopt, pm_info, host, proto);
++		if (status) {
++			if (status == -EHOSTUNREACH)
++				supported = status;
+ 			goto done_ver;
++		}
+ 	}
+ 
+ 	if (!port) {
+-		parms.pm_vers = NFS2_VERSION;
+-		status = rpc_portmap_getport(pm_info, &parms, &rpc_info->port);
+-		if (status == -EHOSTUNREACH || status == -ETIMEDOUT) {
+-			debug(logopt,
+-			      "host not reachable or timed out getting service port");
+-			supported = status;
+-			goto done_ver;
+-		} else if (status < 0)
++		status = get_portmap_port(logopt, pm_info, &parms,
++				NFS2_VERSION, version, &rpc_info->port);
++		if (status) {
++			if (status == -EHOSTUNREACH || status == -ETIMEDOUT)
++				supported = status;
+ 			goto done_ver;
++		}
+ 	}
+ 
+ 	if (rpc_info->proto == IPPROTO_UDP)

autofs.spec

@@ -12,7 +12,7 @@
 Summary: A tool for automatically mounting and unmounting filesystems
 Name: autofs
 Version: 5.1.7
-Release: 20%{?dist}
+Release: 21%{?dist}
 Epoch: 1
 License: GPLv2+
 Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz
@@ -99,6 +99,17 @@ Patch79: autofs-5.1.7-fix-nonstrict-offset-mount-fail-handling.patch
 Patch80: autofs-5.1.7-fix-concat_options-error-handling.patch
 Patch81: autofs-5.1.7-eliminate-some-more-alloca-usage.patch
 Patch82: autofs-5.1.7-use-default-stack-size-for-threads.patch
+Patch83: autofs-5.1.7-fix-use-of-possibly-NULL-var-in-lookup_program_c-match_key.patch
+Patch84: autofs-5.1.7-fix-incorrect-print-format-specifiers.patch
+Patch85: autofs-5.1.7-add-mapent-path-length-check-in-handle_packet_expire_direct.patch
+Patch86: autofs-5.1.7-add-copy-length-check-in-umount_autofs_indirect.patch
+Patch87: autofs-5.1.7-add-some-buffer-length-checks-to-master-map-parser.patch
+Patch88: autofs-5.1.7-add-buffer-length-check-to-rmdir_path.patch
+Patch89: autofs-5.1.7-eliminate-buffer-usage-from-handle_mounts_cleanup.patch
+Patch90: autofs-5.1.7-add-buffer-length-checks-to-autofs-mount_mount.patch
+Patch91: autofs-5.1.7-make-NFS-version-check-flags-consistent.patch
+Patch92: autofs-5.1.7-refactor-get_nfs_info.patch
+Patch93: autofs-5.1.7-also-require-TCP_REQUESTED-when-setting-NFS-port.patch
 
 %if %{with_systemd}
 BuildRequires: systemd-units
@@ -245,6 +256,17 @@ echo %{version}-%{release} > .version
 %patch80 -p1
 %patch81 -p1
 %patch82 -p1
+%patch83 -p1
+%patch84 -p1
+%patch85 -p1
+%patch86 -p1
+%patch87 -p1
+%patch88 -p1
+%patch89 -p1
+%patch90 -p1
+%patch91 -p1
+%patch92 -p1
+%patch93 -p1
 
 %build
 LDFLAGS=-Wl,-z,now
@@ -353,6 +375,19 @@ fi
 %dir /etc/auto.master.d
 
 %changelog
+* Wed Oct 13 2021 Ian Kent <ikent@redhat.com> - 1:5.1.7-21
+- fix use of possibly NULL var in lookup_program.c:match_key().
+- fix incorrect print format specifiers in get_pkt().
+- add mapent path length check in handle_packet_expire_direct().
+- add copy length check in umount_autofs_indirect().
+- add some buffer length checks to master map parser.
+- add buffer length check to rmdir_path().
+- eliminate buffer usage from handle_mounts_cleanup().
+- add buffer length checks to autofs mount_mount().
+- make NFS version check flags consistent.
+- refactor get_nfs_info().
+- also require TCP_REQUESTED when setting NFS port.
+
 * Mon Aug 02 2021 Ian Kent <ikent@redhat.com> - 1:5.1.7-20
 - fix potential memory leak in "eliminate some more alloca usage" patch.
 - remove unused parameter from add_path() in "eliminate some more alloca usage" patch.