summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2013-02-27 12:12:19 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-05-30 17:21:44 +0200
commit10efde3a8f213bec0245f57ef272e1e6a645110f (patch)
tree97d8d4a24f39ddae10a5e474713626db5601c9bf
parentf07523526597f6232dfcafbe23e0857ec61f69ab (diff)
downloadsssd-10efde3a8f213bec0245f57ef272e1e6a645110f.tar.gz
sssd-10efde3a8f213bec0245f57ef272e1e6a645110f.tar.xz
sssd-10efde3a8f213bec0245f57ef272e1e6a645110f.zip
autofs: fix invalid header 'number of entries' in packet1.9.2-91
https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
-rw-r--r--src/responder/autofs/autofssrv_cmd.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 8a79cecf3..629465438 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
goto done;
}
+ /* allocate memory for number of entries in the packet */
ret = sss_packet_grow(client->creq->out, sizeof(uint32_t));
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n"));
goto done;
}
- sss_packet_get_body(client->creq->out, &body, &blen);
rp = sizeof(uint32_t); /* We'll write the number of entries here */
left = map->entry_count - cursor;
@@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
nentries++;
}
+ /* packet grows in fill_autofs_entry, body pointer may change,
+ * thus we have to obtain it here */
+ sss_packet_get_body(client->creq->out, &body, &blen);
+
rp = 0;
SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);