autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()

From: Ian Kent <raven@themaw.net>

The key field of the map entry of the root of the map entry tree to be

deleted can't be used for the key parameter, fix it.

Signed-off-by: Ian Kent <raven@themaw.net>

---

 CHANGELOG    |    1 +

 lib/mounts.c |   16 +++++++++++++---

 2 files changed, 14 insertions(+), 3 deletions(-)

--- autofs-5.1.7.orig/CHANGELOG

+++ autofs-5.1.7/CHANGELOG

@@ -90,6 +90,7 @@

 - dont fail on duplicate offset entry tree add.

 - fix loop under run in cache_get_offset_parent().

 - simplify cache_add() a little.

+- fix use after free in tree_mapent_delete_offset_tree().

 25/01/2021 autofs-5.1.7

 - make bind mounts propagation slave by default.

--- autofs-5.1.7.orig/lib/mounts.c

+++ autofs-5.1.7/lib/mounts.c

@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre

 	 */

 	if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {

 		struct tree_node *root = MAPENT_ROOT(me);

+		char *key;

-		debug(logopt, "deleting offset key %s", me->key);

+		key = strdup(me->key);

+		if (!key) {

+			char buf[MAX_ERR_BUF];

+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);

+			error(logopt, "strdup: %s", estr);

+			return 0;

+		}

+

+		debug(logopt, "deleting offset key %s", key);

 		/* cache_delete won't delete an active offset */

 		MAPENT_SET_ROOT(me, NULL);

-		ret = cache_delete(me->mc, me->key);

+		ret = cache_delete(me->mc, key);

 		if (ret != CHE_OK) {

 			MAPENT_SET_ROOT(me, root);

-			warn(logopt, "failed to delete offset %s", me->key);

+			warn(logopt, "failed to delete offset %s", key);

 		}

+		free(key);

 	} else {

 		MAPENT_SET_ROOT(me, NULL);

 		MAPENT_SET_PARENT(me, NULL);