autofs-5.1.4 - fix use after free in do_master_list_reset()

From: Ian Kent <raven@themaw.net>

Umm ... list_for_each() can't be used in do_master_list_reset() because

the subject entry of the loop is removed for the list within the loop

body. Therefore it can't be used to calculate the next pointer within a

for (...) loop.

There is no list_for_each_safe() macro in the list.h of autofs so it

needs to be done manually.

Signed-off-by: Ian Kent <raven@themaw.net>

---

 CHANGELOG          |    1 +

 daemon/automount.c |    8 ++++++--

 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG

index 4cb23f2..6cd3029 100644

--- a/CHANGELOG

+++ b/CHANGELOG

@@ -289,6 +289,7 @@

 - fix open calls not using open_xxxx() calls.

 - move open_xxxx() functions to spawn.c.

 - serialize calls to open_xxxx() functions.

+- fix use after free in do_master_list_reset().

 25/07/2012 autofs-5.0.7

 =======================

diff --git a/daemon/automount.c b/daemon/automount.c

index d96cd35..1a61b90 100644

--- a/daemon/automount.c

+++ b/daemon/automount.c

@@ -2075,14 +2075,18 @@ static void remove_empty_args(char **argv, int *argc)

 static void do_master_list_reset(struct master *master)

 {

-	struct list_head *head, *p;

+	struct list_head *head, *p, *n;

 	master_mutex_lock();

 	head = &master->mounts;

-	list_for_each(p, head) {

+	n = head->next;

+	while (n != head) {

 		struct master_mapent *entry;

+		p = n;

+		n = p->next;

+

 		entry = list_entry(p, struct master_mapent, list);

 		if (!list_empty(&entry->list))