From cd2327153a9ac55f3cf470c294691506096bd1eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 27 Feb 2013 12:12:19 +0100 Subject: [PATCH] autofs: fix invalid header 'number of entries' in packet https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number. --- src/responder/autofs/autofssrv_cmd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c index 550c981a73e40804701268d0b34f8d7198f3ecc6..491afbb1de057dae996cfc7d084cdaed0220b8e3 100644 --- a/src/responder/autofs/autofssrv_cmd.c +++ b/src/responder/autofs/autofssrv_cmd.c @@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx, goto done; } + /* allocate memory for number of entries in the packet */ ret = sss_packet_grow(client->creq->out, sizeof(uint32_t)); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n")); goto done; } - sss_packet_get_body(client->creq->out, &body, &blen); rp = sizeof(uint32_t); /* We'll write the number of entries here */ left = map->entry_count - cursor; @@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx, nentries++; } + /* packet grows in fill_autofs_entry, body pointer may change, + * thus we have to obtain it here */ + sss_packet_get_body(client->creq->out, &body, &blen); + rp = 0; SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp); -- 1.8.1.4