Re: New autofs in sid, please push to testing

Thu, 12 May 2005 21:42:01 -0700 

Hi Steinar,

On Wed, May 11, 2005 at 01:51:13PM +0200, Steinar H. Gunderson wrote:

> I've uploaded autofs 4.1.3+4.1.4beta2-8 to sid, which fixes (to the best of
> my knowledge -- I can't reproduce the problems myself) two important bugs,
> and contains no other changes. vorlon promised me a freeze exception for the
> upload, so letting it through to sarge would be nice :-) Thanks.

Hmm, memory leak:

++/*
++ *  Check to see if the 'host:path' or 'host' is on the local machine
++ *  Returns < 0 if there is a host lookup problem, otherwise returns 0
++ *  if it's not a local mount, and returns > 0 if it is a local mount.
++ */
++int is_local_mount(const char *hostpath)
++{
++      struct hostent *he;
++      char **haddr;
++      char *delim;
++      char *hostname;
++      int hostnamelen;
++      int local = 0;
++
++      debug(MODPREFIX "is_local_mount: %s", hostpath);
++      delim = strpbrk(hostpath,":");
++
++      if (delim) 
++              hostnamelen = delim - hostpath; 
++      else 
++              hostnamelen = strlen(hostpath);
++
++      hostname = malloc(hostnamelen+1);
++      strncpy(hostname, hostpath, hostnamelen);
++      hostname[hostnamelen] = '\0';
++      he = gethostbyname(hostname);
++      if (!he) {
++              error(MODPREFIX "host %s: lookup failure", hostname);
++              return -1;
++      }
++
++      for (haddr = he->h_addr_list; *haddr; haddr++) {
++              local = is_local_addr(hostname, *haddr, he->h_length);
++              if (local < 0) 
++                      return local;
++              if (local) {
++                      debug(MODPREFIX "host %s: is localhost",
++                                      hostname);
++                      return local;
++              }
++      }
++      return 0;
++}

Memory is allocated for hostname on every call, and never freed.

Is this being called from a long-lived server process?  If so, I think this
needs to be fixed.

The get_best_mount function worries me, as it's writing to a caller-provided
pointer (char *what) with no bounds checking.  This appears to be the
intended *use* of the pointer, so this isn't a blocking issue, it's just
something that ought to be cleaned up at some point (including making sure
there's no exploitable buffer overflow here when using things like LDAP or
Hesiod maps).

Let me know about the hostname memory leak, though, and we'll get this in.

Thanks,
-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply via email to