autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()

From: Ian Kent <raven@themaw.net>

The key field of the map entry of the root of the map entry tree to be
deleted can't be used for the key parameter, fix it.

Signed-off-by: Ian Kent <raven@themaw.net>
---
 CHANGELOG    |    1 +
 lib/mounts.c |   16 +++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

--- autofs-5.1.4.orig/CHANGELOG
+++ autofs-5.1.4/CHANGELOG
@@ -88,6 +88,7 @@
 - dont fail on duplicate offset entry tree add.
 - fix loop under run in cache_get_offset_parent().
 - simplify cache_add() a little.
+- fix use after free in tree_mapent_delete_offset_tree().
 
 xx/xx/2018 autofs-5.1.5
 - fix flag file permission.
--- autofs-5.1.4.orig/lib/mounts.c
+++ autofs-5.1.4/lib/mounts.c
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre
 	 */
 	if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
 		struct tree_node *root = MAPENT_ROOT(me);
+		char *key;
 
-		debug(logopt, "deleting offset key %s", me->key);
+		key = strdup(me->key);
+		if (!key) {
+			char buf[MAX_ERR_BUF];
+			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+			error(logopt, "strdup: %s", estr);
+			return 0;
+		}
+
+		debug(logopt, "deleting offset key %s", key);
 
 		/* cache_delete won't delete an active offset */
 		MAPENT_SET_ROOT(me, NULL);
-		ret = cache_delete(me->mc, me->key);
+		ret = cache_delete(me->mc, key);
 		if (ret != CHE_OK) {
 			MAPENT_SET_ROOT(me, root);
-			warn(logopt, "failed to delete offset %s", me->key);
+			warn(logopt, "failed to delete offset %s", key);
 		}
+		free(key);
 	} else {
 		MAPENT_SET_ROOT(me, NULL);
 		MAPENT_SET_PARENT(me, NULL);