- ignore duplicate exports in auto.net. - add kernel verion check function. - add function to check mount.nfs version. - reinstate singleton mount probe. - rework error return handling in rpc code. - catch EHOSTUNREACH and bail out early. - systemd support fixes. - fix segmentation fault in do_remount_indirect().
		
			
				
	
	
		
			87 lines
		
	
	
		
			2.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			87 lines
		
	
	
		
			2.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| autofs-5.0.6 - fix segmentation fault in do_remount_indirect()
 | |
| 
 | |
| From: Leonardo Chiquitto <leonardo.lists@gmail.com>
 | |
| 
 | |
| In some rare circumstance, it's possible that automount will crash
 | |
| on startup while trying to reconnect to a "half-broken" NFS mount
 | |
| point.
 | |
| 
 | |
| The segmentation fault happens because we're not testing scandir()'s
 | |
| return value in do_remount_indirect():
 | |
| 
 | |
| lib/mounts.c:
 | |
| 1210       i = j = scandir(buf, &de2, 0, alphasort);
 | |
| 1211       while (i--)
 | |
| 1212         free(de2[i]);
 | |
| 
 | |
| So, if scandir() returns -1, it will try to free de2[-1], de2[-2], etc.
 | |
| 
 | |
| Here's the call trace, for reference:
 | |
| 
 | |
| Program terminated with signal 11, Segmentation fault.
 | |
| #0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
 | |
|     path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
 | |
| 1212                    free(de2[i]);
 | |
| (gdb) print j
 | |
| $1 = -1
 | |
| (gdb) print de2
 | |
| $3 = (struct dirent **) 0x0
 | |
| 
 | |
| #0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
 | |
|     path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
 | |
| #1  0x00007ffff7fe2a48 in remount_active_mount (ap=0x7ffff821e070, mc=0x0,
 | |
|     path=0x7ffff821e150 "/nfs/iil", devid=20, type=<optimized out>,
 | |
|     ioctlfd=0x7ffff6e5babc) at mounts.c:1327
 | |
| #2  0x00007ffff7fe2ac6 in try_remount (ap=0x7ffff821e070, me=0x0, type=1)
 | |
|     at mounts.c:1357
 | |
| #3  0x00007ffff7fd35e0 in do_mount_autofs_indirect (root=<optimized out>,
 | |
|     ap=<optimized out>) at indirect.c:103
 | |
| #4  mount_autofs_indirect (ap=0x7ffff821e070, root=0x7ffff8202d50 "/nfs/iil")
 | |
|     at indirect.c:213
 | |
| #5  0x00007ffff7fd1473 in mount_autofs (root=<optimized out>,
 | |
|     ap=<optimized out>) at automount.c:1005
 | |
| #6  handle_mounts (arg=0x7fffffffdfd0) at automount.c:1526
 | |
| #7  0x00007ffff7b8e5f0 in start_thread (arg=<optimized out>)
 | |
|     at pthread_create.c:297
 | |
| #8  0x00007ffff6f3187d in clone ()
 | |
|     at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
 | |
| #9  0x0000000000000000 in ?? ()
 | |
| 
 | |
| Suggested fix:
 | |
| 
 | |
| Check scandir() return value
 | |
| 
 | |
| In some rare circumstance, it's possible that automount will crash
 | |
| on startup while trying to reconnect to a "half-broken" NFS mount
 | |
| point.
 | |
| ---
 | |
| 
 | |
|  CHANGELOG    |    1 +
 | |
|  lib/mounts.c |    4 ++++
 | |
|  2 files changed, 5 insertions(+)
 | |
| 
 | |
| 
 | |
| --- autofs-5.0.6.orig/CHANGELOG
 | |
| +++ autofs-5.0.6/CHANGELOG
 | |
| @@ -30,6 +30,7 @@
 | |
|  - rework error return handling in rpc code.
 | |
|  - catch EHOSTUNREACH and bail out early.
 | |
|  - systemd support fixes.
 | |
| +- check scandir() return value.
 | |
|  
 | |
|  28/06/2011 autofs-5.0.6
 | |
|  -----------------------
 | |
| --- autofs-5.0.6.orig/lib/mounts.c
 | |
| +++ autofs-5.0.6/lib/mounts.c
 | |
| @@ -1355,6 +1355,10 @@ static int do_remount_indirect(struct au
 | |
|  			int i, j;
 | |
|  
 | |
|  			i = j = scandir(buf, &de2, 0, alphasort);
 | |
| +			if (i < 0) {
 | |
| +				free(de[n]);
 | |
| +				continue;
 | |
| +			}
 | |
|  			while (i--)
 | |
|  				free(de2[i]);
 | |
|  			free(de2);
 |