autofs-5.1.4 - fix use after free in do_master_list_reset() From: Ian Kent Umm ... list_for_each() can't be used in do_master_list_reset() because the subject entry of the loop is removed for the list within the loop body. Therefore it can't be used to calculate the next pointer within a for (...) loop. There is no list_for_each_safe() macro in the list.h of autofs so it needs to be done manually. Signed-off-by: Ian Kent --- CHANGELOG | 1 + daemon/automount.c | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4faab510..2747327b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ xx/xx/2018 autofs-5.1.5 - fix flag file permission. - fix directory create permission. +- fix use after free in do_master_list_reset(). 19/12/2017 autofs-5.1.4 - fix spec file url. diff --git a/daemon/automount.c b/daemon/automount.c index dcdc19fb..28b3f2f5 100644 --- a/daemon/automount.c +++ b/daemon/automount.c @@ -2070,14 +2070,18 @@ static void remove_empty_args(char **argv, int *argc) static void do_master_list_reset(struct master *master) { - struct list_head *head, *p; + struct list_head *head, *p, *n; master_mutex_lock(); head = &master->mounts; - list_for_each(p, head) { + n = head->next; + while (n != head) { struct master_mapent *entry; + p = n; + n = p->next; + entry = list_entry(p, struct master_mapent, list); if (!list_empty(&entry->list))