autofs-5.0.7 - fix several off by one errors From: Ian Kent Fix several off-by-one array reference errors and a couple of short allocation errors. --- daemon/spawn.c | 10 +++++----- lib/defaults.c | 2 +- modules/lookup_ldap.c | 8 ++++---- modules/parse_hesiod.c | 2 +- modules/parse_sun.c | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/daemon/spawn.c b/daemon/spawn.c index 3b4a009..9b8d5a2 100644 --- a/daemon/spawn.c +++ b/daemon/spawn.c @@ -320,7 +320,7 @@ int spawn_mount(unsigned logopt, ...) unsigned int retries = MTAB_LOCK_RETRIES; int update_mtab = 1, ret, printed = 0; unsigned int wait = defaults_get_mount_wait(); - char buf[PATH_MAX]; + char buf[PATH_MAX + 1]; /* If we use mount locking we can't validate the location */ #ifdef ENABLE_MOUNT_LOCKING @@ -346,7 +346,7 @@ int spawn_mount(unsigned logopt, ...) } /* Alloc 1 extra slot in case we need to use the "-f" option */ - if (!(argv = alloca(sizeof(char *) * argc + 2))) + if (!(argv = alloca(sizeof(char *) * (argc + 2)))) return -1; argv[0] = arg0; @@ -448,7 +448,7 @@ int spawn_bind_mount(unsigned logopt, ...) unsigned int options; unsigned int retries = MTAB_LOCK_RETRIES; int update_mtab = 1, ret, printed = 0; - char buf[PATH_MAX]; + char buf[PATH_MAX + 1]; /* If we use mount locking we can't validate the location */ #ifdef ENABLE_MOUNT_LOCKING @@ -477,7 +477,7 @@ int spawn_bind_mount(unsigned logopt, ...) } } - if (!(argv = alloca(sizeof(char *) * argc + 2))) + if (!(argv = alloca(sizeof(char *) * (argc + 2)))) return -1; argv[0] = arg0; @@ -556,7 +556,7 @@ int spawn_umount(unsigned logopt, ...) unsigned int retries = MTAB_LOCK_RETRIES; int update_mtab = 1, ret, printed = 0; unsigned int wait = defaults_get_umount_wait(); - char buf[PATH_MAX]; + char buf[PATH_MAX + 1]; #ifdef ENABLE_MOUNT_LOCKING options = SPAWN_OPT_LOCK; diff --git a/lib/defaults.c b/lib/defaults.c index ae1162f..1e89509 100644 --- a/lib/defaults.c +++ b/lib/defaults.c @@ -227,7 +227,7 @@ void defaults_free_uris(struct list_head *list) static unsigned int add_uris(char *value, struct list_head *list) { char *str, *tok, *ptr = NULL; - size_t len = strlen(value); + size_t len = strlen(value) + 1; str = alloca(len); if (!str) diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c index 83e3215..17cbe9a 100644 --- a/modules/lookup_ldap.c +++ b/modules/lookup_ldap.c @@ -2234,8 +2234,8 @@ static int do_get_entries(struct ldap_search_params *sp, struct map_source *sour mapent = new_me; strcat(mapent, " "); strncat(mapent, v_val, v_len); - mapent[new_size] = '\0'; - mapent_len = new_size; + mapent[new_size - 1] = '\0'; + mapent_len = new_size - 1; } else { char *estr; estr = strerror_r(errno, buf, sizeof(buf)); @@ -2723,8 +2723,8 @@ static int lookup_one(struct autofs_point *ap, mapent = new_me; strcat(mapent, " "); strncat(mapent, v_val, v_len); - mapent[new_size] = '\0'; - mapent_len = new_size; + mapent[new_size - 1] = '\0'; + mapent_len = new_size - 1; } else { char *estr; estr = strerror_r(errno, buf, sizeof(buf)); diff --git a/modules/parse_hesiod.c b/modules/parse_hesiod.c index 7a6a57d..237fd50 100644 --- a/modules/parse_hesiod.c +++ b/modules/parse_hesiod.c @@ -117,7 +117,7 @@ static int parse_nfs(struct autofs_point *ap, p++; /* Isolate the remote mountpoint for this NFS fs. */ - for (i = 0; (!isspace(p[i]) && i < (int) sizeof(mount)); i++) { + for (i = 0; (!isspace(p[i]) && i < ((int) sizeof(mount) - 1)); i++) { if (!p[i]) { error(ap->logopt, MODPREFIX "unexpeced end of input looking for NFS " diff --git a/modules/parse_sun.c b/modules/parse_sun.c index ae1caf7..c1fc528 100644 --- a/modules/parse_sun.c +++ b/modules/parse_sun.c @@ -1135,7 +1135,7 @@ static int mount_subtree(struct autofs_point *ap, struct mapent *me, } ro_len = strlen(ro_loc); - tmp = alloca(mnt_root_len + 1); + tmp = alloca(mnt_root_len + 2); strcpy(tmp, mnt_root); tmp[mnt_root_len] = '/'; tmp[mnt_root_len + 1] = '\0';