autofs-5.1.4 - fix use after free in do_master_list_reset() From: Ian Kent Umm ... list_for_each() can't be used in do_master_list_reset() because the subject entry of the loop is removed for the list within the loop body. Therefore it can't be used to calculate the next pointer within a for (...) loop. There is no list_for_each_safe() macro in the list.h of autofs so it needs to be done manually. Signed-off-by: Ian Kent --- CHANGELOG | 1 + daemon/automount.c | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4cb23f2..6cd3029 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -289,6 +289,7 @@ - fix open calls not using open_xxxx() calls. - move open_xxxx() functions to spawn.c. - serialize calls to open_xxxx() functions. +- fix use after free in do_master_list_reset(). 25/07/2012 autofs-5.0.7 ======================= diff --git a/daemon/automount.c b/daemon/automount.c index d96cd35..1a61b90 100644 --- a/daemon/automount.c +++ b/daemon/automount.c @@ -2075,14 +2075,18 @@ static void remove_empty_args(char **argv, int *argc) static void do_master_list_reset(struct master *master) { - struct list_head *head, *p; + struct list_head *head, *p, *n; master_mutex_lock(); head = &master->mounts; - list_for_each(p, head) { + n = head->next; + while (n != head) { struct master_mapent *entry; + p = n; + n = p->next; + entry = list_entry(p, struct master_mapent, list); if (!list_empty(&entry->list))