diff --git a/SOURCES/autofs-5.1.6-fix-autofs-mount-options-construction.patch b/SOURCES/autofs-5.1.6-fix-autofs-mount-options-construction.patch
new file mode 100644
index 0000000..e02f640
--- /dev/null
+++ b/SOURCES/autofs-5.1.6-fix-autofs-mount-options-construction.patch
@@ -0,0 +1,273 @@
+autofs-5.1.6 - fix autofs mount options construction
+
+From: Ian Kent <raven@themaw.net>
+
+There's an off by one length error in the autofs mount options
+construction.
+
+Consolidate the options construction into make_options_string() and
+use snprintf() to verify the options length calculation is correct.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG | 1
+ daemon/direct.c | 46 ++-----------------------
+ daemon/indirect.c | 23 +-----------
+ include/mounts.h | 3 +
+ lib/mounts.c | 98 +++++++++++++++++++++++++++++++++++++++++++++---------
+ 5 files changed, 92 insertions(+), 79 deletions(-)
+
+--- autofs-5.1.4.orig/CHANGELOG
++++ autofs-5.1.4/CHANGELOG
+@@ -80,6 +80,7 @@ xx/xx/2018 autofs-5.1.5
+ - fix trailing dollar sun entry expansion.
+ - initialize struct addrinfo for getaddrinfo() calls.
+ - fix quoted string length calc in expandsunent().
++- fix autofs mount options construction.
+
+ 19/12/2017 autofs-5.1.4
+ - fix spec file url.
+--- autofs-5.1.4.orig/daemon/direct.c
++++ autofs-5.1.4/daemon/direct.c
+@@ -348,29 +348,10 @@ int do_mount_autofs_direct(struct autofs
+ }
+
+ if (!mp->options) {
+- mp->options = make_options_string(ap->path, ap->kpipefd, str_direct);
++ mp->options = make_options_string(ap->path,
++ ap->kpipefd, str_direct, ap->flags);
+ if (!mp->options)
+ return 0;
+-
+- if ((ap->flags & MOUNT_FLAG_STRICTEXPIRE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 3) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(mp->options, strlen(mp->options) + 12);
+- if (tmp) {
+- strcat(tmp, ",strictexpire");
+- mp->options = tmp;
+- }
+- }
+-
+- if ((ap->flags & MOUNT_FLAG_IGNORE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 4) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(mp->options, strlen(mp->options) + 7);
+- if (tmp) {
+- strcat(tmp, ",ignore");
+- mp->options = tmp;
+- }
+- }
+ }
+
+ /* In case the directory doesn't exist, try to mkdir it */
+@@ -676,29 +657,10 @@ int mount_autofs_offset(struct autofs_po
+ }
+
+ if (!mp->options) {
+- mp->options = make_options_string(ap->path, ap->kpipefd, str_offset);
++ mp->options = make_options_string(ap->path,
++ ap->kpipefd, str_offset, ap->flags);
+ if (!mp->options)
+ return MOUNT_OFFSET_OK;
+-
+- if ((ap->flags & MOUNT_FLAG_STRICTEXPIRE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 3) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(mp->options, strlen(mp->options) + 12);
+- if (tmp) {
+- strcat(tmp, ",strictexpire");
+- mp->options = tmp;
+- }
+- }
+-
+- if ((ap->flags & MOUNT_FLAG_IGNORE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 4) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(mp->options, strlen(mp->options) + 7);
+- if (tmp) {
+- strcat(tmp, ",ignore");
+- mp->options = tmp;
+- }
+- }
+ }
+
+ strcpy(mountpoint, root);
+--- autofs-5.1.4.orig/daemon/indirect.c
++++ autofs-5.1.4/daemon/indirect.c
+@@ -78,32 +78,13 @@ static int do_mount_autofs_indirect(stru
+ }
+ }
+
+- options = make_options_string(ap->path, ap->kpipefd, str_indirect);
++ options = make_options_string(ap->path,
++ ap->kpipefd, str_indirect, ap->flags);
+ if (!options) {
+ error(ap->logopt, "options string error");
+ goto out_err;
+ }
+
+- if ((ap->flags & MOUNT_FLAG_STRICTEXPIRE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 3) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(options, strlen(options) + 12);
+- if (tmp) {
+- strcat(tmp, ",strictexpire");
+- options = tmp;
+- }
+- }
+-
+- if ((ap->flags & MOUNT_FLAG_IGNORE) &&
+- ((get_kver_major() == 5 && get_kver_minor() > 4) ||
+- (get_kver_major() > 5))) {
+- char *tmp = realloc(options, strlen(options) + 7);
+- if (tmp) {
+- strcat(tmp, ",ignore");
+- options = tmp;
+- }
+- }
+-
+ /* In case the directory doesn't exist, try to mkdir it */
+ if (mkdir_path(root, mp_mode) < 0) {
+ if (errno != EEXIST && errno != EROFS) {
+--- autofs-5.1.4.orig/include/mounts.h
++++ autofs-5.1.4/include/mounts.h
+@@ -94,7 +94,8 @@ void free_amd_entry_list(struct list_hea
+ unsigned int query_kproto_ver(void);
+ unsigned int get_kver_major(void);
+ unsigned int get_kver_minor(void);
+-char *make_options_string(char *path, int kernel_pipefd, const char *extra);
++char *make_options_string(char *path, int pipefd,
++ const char *type, unsigned int flags);
+ char *make_mnt_name_string(char *path);
+ int ext_mount_add(struct list_head *, const char *, unsigned int);
+ int ext_mount_remove(struct list_head *, const char *);
+--- autofs-5.1.4.orig/lib/mounts.c
++++ autofs-5.1.4/lib/mounts.c
+@@ -599,43 +599,111 @@ void free_amd_entry_list(struct list_hea
+ }
+ }
+
++static int cacl_max_options_len(unsigned int flags)
++{
++ unsigned int kver_major = get_kver_major();
++ unsigned int kver_minor = get_kver_minor();
++ int max_len;
++
++ /* %d and %u are maximum lenght of 10 and mount type is maximum
++ * length of 9 (e. ",indirect").
++ * The base temaplate is "fd=%d,pgrp=%u,minproto=5,maxproto=%d"
++ * plus the length of mount type plus 1 for the NULL.
++ */
++ max_len = 79 + 1;
++
++ if (kver_major < 5 || (kver_major == 5 && kver_minor < 4))
++ goto out;
++
++ /* maybe add ",strictexpire" */
++ if (flags & MOUNT_FLAG_STRICTEXPIRE)
++ max_len += 13;
++
++ if (kver_major == 5 && kver_minor < 5)
++ goto out;
++
++ /* maybe add ",ignore" */
++ if (flags & MOUNT_FLAG_IGNORE)
++ max_len += 7;
++out:
++ return max_len;
++}
++
+ /*
+ * Make common autofs mount options string
+ */
+-char *make_options_string(char *path, int pipefd, const char *extra)
++char *make_options_string(char *path, int pipefd,
++ const char *type, unsigned int flags)
+ {
++ unsigned int kver_major = get_kver_major();
++ unsigned int kver_minor = get_kver_minor();
+ char *options;
+- int len;
++ int max_len, len, new;
+
+- options = malloc(MAX_OPTIONS_LEN + 1);
++ max_len = cacl_max_options_len(flags);
++
++ options = malloc(max_len);
+ if (!options) {
+ logerr("can't malloc options string");
+ return NULL;
+ }
+
+- if (extra)
+- len = snprintf(options, MAX_OPTIONS_LEN,
++ if (type)
++ len = snprintf(options, max_len,
+ options_template_extra,
+ pipefd, (unsigned) getpgrp(),
+- AUTOFS_MAX_PROTO_VERSION, extra);
++ AUTOFS_MAX_PROTO_VERSION, type);
+ else
+- len = snprintf(options, MAX_OPTIONS_LEN, options_template,
++ len = snprintf(options, max_len, options_template,
+ pipefd, (unsigned) getpgrp(),
+ AUTOFS_MAX_PROTO_VERSION);
+
+- if (len >= MAX_OPTIONS_LEN) {
+- logerr("buffer to small for options - truncated");
+- len = MAX_OPTIONS_LEN - 1;
++ if (len < 0)
++ goto error_out;
++
++ if (len >= max_len)
++ goto truncated;
++
++ if (kver_major < 5 || (kver_major == 5 && kver_minor < 4))
++ goto out;
++
++ /* maybe add ",strictexpire" */
++ if (flags & MOUNT_FLAG_STRICTEXPIRE) {
++ new = snprintf(options + len,
++ max_len, "%s", ",strictexpire");
++ if (new < 0)
++ goto error_out;
++ len += new;
++ if (len >= max_len)
++ goto truncated;
+ }
+
+- if (len < 0) {
+- logerr("failed to malloc autofs mount options for %s", path);
+- free(options);
+- return NULL;
++ if (kver_major == 5 && kver_minor < 5)
++ goto out;
++
++ /* maybe add ",ignore" */
++ if (flags & MOUNT_FLAG_IGNORE) {
++ new = snprintf(options + len,
++ max_len, "%s", ",ignore");
++ if (new < 0)
++ goto error_out;
++ len += new;
++ if (len >= max_len)
++ goto truncated;
+ }
++out:
+ options[len] = '\0';
+-
+ return options;
++
++truncated:
++ logerr("buffer to small for options - truncated");
++ len = max_len -1;
++ goto out;
++
++error_out:
++ logerr("error constructing mount options string for %s", path);
++ free(options);
++ return NULL;
+ }
+
+ char *make_mnt_name_string(char *path)
diff --git a/SOURCES/autofs-5.1.6-fix-quoted-string-length-calc-in-expandsunent.patch b/SOURCES/autofs-5.1.6-fix-quoted-string-length-calc-in-expandsunent.patch
new file mode 100644
index 0000000..d1bcde8
--- /dev/null
+++ b/SOURCES/autofs-5.1.6-fix-quoted-string-length-calc-in-expandsunent.patch
@@ -0,0 +1,44 @@
+autofs-5.1.6 - fix quoted string length calc in expandsunent()
+
+From: Ian Kent <raven@themaw.net>
+
+The expandsunent() function in modules/parse_sun.c fails to properly
+handle the ending " in a quoted string causing the length calculation
+to not account for the ending quote and also doesn't properly account
+for the remainder of the string being expanded.
+
+Also, when called again (after being called to get the length) the
+allocated buffer is too small leading to out of bounds accesses.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG | 1 +
+ modules/parse_sun.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- autofs-5.1.4.orig/CHANGELOG
++++ autofs-5.1.4/CHANGELOG
+@@ -79,6 +79,7 @@ xx/xx/2018 autofs-5.1.5
+ - fix a regression with map instance lookup.
+ - fix trailing dollar sun entry expansion.
+ - initialize struct addrinfo for getaddrinfo() calls.
++- fix quoted string length calc in expandsunent().
+
+ 19/12/2017 autofs-5.1.4
+ - fix spec file url.
+--- autofs-5.1.4.orig/modules/parse_sun.c
++++ autofs-5.1.4/modules/parse_sun.c
+@@ -213,9 +213,11 @@ int expandsunent(const char *src, char *
+ *dst++ = *src;
+ src++;
+ }
+- if (*src && dst) {
++ if (*src) {
+ len++;
+- *dst++ = *src++;
++ if (dst)
++ *dst++ = *src;
++ src++;
+ }
+ break;
+
diff --git a/SOURCES/autofs-5.1.6-initialize-struct-addrinfo-for-getaddrinfo-calls.patch b/SOURCES/autofs-5.1.6-initialize-struct-addrinfo-for-getaddrinfo-calls.patch
new file mode 100644
index 0000000..a96054f
--- /dev/null
+++ b/SOURCES/autofs-5.1.6-initialize-struct-addrinfo-for-getaddrinfo-calls.patch
@@ -0,0 +1,104 @@
+autofs-5.1.6 - initialize struct addrinfo for getaddrinfo() calls
+
+From: Ian Kent <raven@themaw.net>
+
+The getaddrinfo() call may have become more fussy about initialization
+of the passed in struct addrinfo that receives the results.
+
+It's good practice to initialize it prior to the gataddrinfo() call just
+in case.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG | 1 +
+ lib/parse_subs.c | 1 +
+ lib/rpc_subs.c | 1 +
+ modules/dclist.c | 1 +
+ modules/parse_amd.c | 3 +++
+ modules/replicated.c | 2 ++
+ 6 files changed, 9 insertions(+)
+
+--- autofs-5.1.4.orig/CHANGELOG
++++ autofs-5.1.4/CHANGELOG
+@@ -78,6 +78,7 @@ xx/xx/2018 autofs-5.1.5
+ - fix missing initialization of autofs_point flags.
+ - fix a regression with map instance lookup.
+ - fix trailing dollar sun entry expansion.
++- initialize struct addrinfo for getaddrinfo() calls.
+
+ 19/12/2017 autofs-5.1.4
+ - fix spec file url.
+--- autofs-5.1.4.orig/lib/parse_subs.c
++++ autofs-5.1.4/lib/parse_subs.c
+@@ -475,6 +475,7 @@ unsigned int get_network_proximity(const
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG | AI_CANONNAME;
+
++ ni = NULL;
+ ret = getaddrinfo(name_or_num, NULL, &hints, &ni);
+ if (ret) {
+ logerr("hostname lookup for %s failed: %s",
+--- autofs-5.1.4.orig/lib/rpc_subs.c
++++ autofs-5.1.4/lib/rpc_subs.c
+@@ -691,6 +691,7 @@ static int create_client(struct conn_inf
+ else
+ hints.ai_socktype = SOCK_STREAM;
+
++ ai = NULL;
+ ret = getaddrinfo(info->host, NULL, &hints, &ai);
+ if (ret) {
+ error(LOGOPT_ANY,
+--- autofs-5.1.4.orig/modules/dclist.c
++++ autofs-5.1.4/modules/dclist.c
+@@ -355,6 +355,7 @@ static char *getdnsdomainname(unsigned i
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_DGRAM;
+
++ ni = NULL;
+ ret = getaddrinfo(name, NULL, &hints, &ni);
+ if (ret) {
+ error(logopt,
+--- autofs-5.1.4.orig/modules/parse_amd.c
++++ autofs-5.1.4/modules/parse_amd.c
+@@ -269,6 +269,7 @@ static int match_my_name(struct autofs_p
+ hints.ai_socktype = SOCK_DGRAM;
+
+ /* Get host canonical name */
++ cni = NULL;
+ ret = getaddrinfo(v->val, NULL, &hints, &cni);
+ if (ret) {
+ error(logopt, MODPREFIX
+@@ -280,6 +281,7 @@ static int match_my_name(struct autofs_p
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG | AI_CANONNAME;
+
+ /* Resolve comparison name to its names and compare */
++ ni = NULL;
+ ret = getaddrinfo(exp_name, NULL, &hints, &ni);
+ if (ret) {
+ error(logopt, MODPREFIX
+@@ -775,6 +777,7 @@ static char *normalize_hostname(unsigned
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_DGRAM;
+
++ ni = NULL;
+ ret = getaddrinfo(host, NULL, &hints, &ni);
+ if (ret) {
+ error(logopt, MODPREFIX
+--- autofs-5.1.4.orig/modules/replicated.c
++++ autofs-5.1.4/modules/replicated.c
+@@ -985,6 +985,7 @@ static int add_host_addrs(struct host **
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_DGRAM;
+
++ ni = NULL;
+ ret = getaddrinfo(name, NULL, &hints, &ni);
+ if (ret)
+ goto try_name;
+@@ -1005,6 +1006,7 @@ try_name:
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_DGRAM;
+
++ ni = NULL;
+ ret = getaddrinfo(name, NULL, &hints, &ni);
+ if (ret) {
+ error(LOGOPT_ANY,
diff --git a/SPECS/autofs.spec b/SPECS/autofs.spec
index e383ab9..540a7f9 100644
--- a/SPECS/autofs.spec
+++ b/SPECS/autofs.spec
@@ -8,7 +8,7 @@
Summary: A tool for automatically mounting and unmounting filesystems
Name: autofs
Version: 5.1.4
-Release: 41%{?dist}
+Release: 43%{?dist}
Epoch: 1
License: GPLv2+
Group: System Environment/Daemons
@@ -97,6 +97,9 @@ Patch83: autofs-5.1.6-update-ldap-READMEs-and-schema-definitions.patch
Patch84: autofs-5.1.6-fix-a-regression-with-map-instance-lookup.patch
Patch85: autofs-5.1.6-fix-trailing-dollar-sun-entry-expansion.patch
+Patch86: autofs-5.1.6-initialize-struct-addrinfo-for-getaddrinfo-calls.patch
+Patch87: autofs-5.1.6-fix-quoted-string-length-calc-in-expandsunent.patch
+Patch88: autofs-5.1.6-fix-autofs-mount-options-construction.patch
%if %{with_systemd}
BuildRequires: systemd-units
@@ -241,6 +244,9 @@ echo %{version}-%{release} > .version
%patch84 -p1
%patch85 -p1
+%patch86 -p1
+%patch87 -p1
+%patch88 -p1
%build
LDFLAGS=-Wl,-z,now
@@ -336,6 +342,19 @@ fi
%dir /etc/auto.master.d
%changelog
+* Mon Jun 15 2020 Ian Kent <ikent@redhat.com> - 5.1.4-43
+- bz1841456 - automount program crashes with "malloc(): invalid next size
+ (unsorted)
+ - fix autofs mount options construction.
+-Related: rhbz#1841456
+
+* Tue Jun 02 2020 Ian Kent <ikent@redhat.com> - 5.1.4-42
+- bz1841456 - automount program crashes with "malloc(): invalid next size
+ (unsorted)
+ - initialize struct addrinfo for getaddrinfo() calls.
+ - fix quoted string length calc in expandsunent().
+-Resolves: rhbz#1841456
+
* Mon May 18 2020 Ian Kent <ikent@redhat.com> - 5.1.4-41
- bz1835547 - [RHEL8]autofs cannot mount samba/cifs shares that end with a
dollar sign