1 files changed, 49 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch b/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch
new file mode 100644
index 0000000000..a469c16868
--- /dev/null
+++ b/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch
@@ -0,0 +1,49 @@
+autofs-5.0.7 - fix use cache entry after free mistake
+From: Ian Kent <ikent@redhat.com>
+Fix an obvious use after free mistake in lookup_prune_one_cache().
+---
+ CHANGELOG       |    1 +
+ daemon/lookup.c |    7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+diff --git a/CHANGELOG b/CHANGELOG
+index faf4c80..dc38580 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -1,6 +1,7 @@
+ ??/??/2012 autofs-5.0.8
+ =======================
+ - fix nobind sun escaped map entries.
+- fix use cache entry after free in lookup_prune_one_cache().
+ 
+ 25/07/2012 autofs-5.0.7
+ =======================
+diff --git a/daemon/lookup.c b/daemon/lookup.c
+index 7909536..e3d9536 100644
+--- a/daemon/lookup.c
+++ b/daemon/lookup.c
+@@ -1103,15 +1103,18 @@ void lookup_prune_one_cache(struct autofs_point *ap, struct mapent_cache *mc, ti
+                if (valid)
+                        cache_delete(mc, key);
+                else if (!is_mounted(_PROC_MOUNTS, path, MNTS_AUTOFS)) {
+                       dev_t devid = ap->dev;
+                        status = CHE_FAIL;
+                       if (ap->type == LKP_DIRECT)
+                               devid = this->dev;
+                        if (this->ioctlfd == -1)
+                                status = cache_delete(mc, key);
+                        if (status != CHE_FAIL) {
+                                if (ap->type == LKP_INDIRECT) {
+                                        if (ap->flags & MOUNT_FLAG_GHOST)
+-                                               rmdir_path(ap, path, ap->dev);
+                                               rmdir_path(ap, path, devid);
+                                } else
+-                                       rmdir_path(ap, path, this->dev);
+                                       rmdir_path(ap, path, devid);
+                        }
+                }
+                cache_unlock(mc);

diff --git a/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch b/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch new file mode 100644 index 0000000000..a469c16868 --- /dev/null +++ b/meta-networking/recipes-daemons/autofs/autofs-5.0.7/autofs-5.0.7-fix-use-cache-entry-after-free-mistake.patch
@@ -0,0 +1,49 @@
	1	autofs-5.0.7 - fix use cache entry after free mistake
	2
	3	From: Ian Kent <ikent@redhat.com>
	4
	5	Fix an obvious use after free mistake in lookup_prune_one_cache().
	6	---
	7
	8	CHANGELOG \| 1 +
	9	daemon/lookup.c \| 7 +++++--
	10	2 files changed, 6 insertions(+), 2 deletions(-)
	11
	12
	13	diff --git a/CHANGELOG b/CHANGELOG
	14	index faf4c80..dc38580 100644
	15	--- a/CHANGELOG
	16	+++ b/CHANGELOG
	17	@@ -1,6 +1,7 @@
	18	??/??/2012 autofs-5.0.8
	19	=======================
	20	- fix nobind sun escaped map entries.
	21	+- fix use cache entry after free in lookup_prune_one_cache().
	22
	23	25/07/2012 autofs-5.0.7
	24	=======================
	25	diff --git a/daemon/lookup.c b/daemon/lookup.c
	26	index 7909536..e3d9536 100644
	27	--- a/daemon/lookup.c
	28	+++ b/daemon/lookup.c
	29	@@ -1103,15 +1103,18 @@ void lookup_prune_one_cache(struct autofs_point ap, struct mapent_cache mc, ti
	30	if (valid)
	31	cache_delete(mc, key);
	32	else if (!is_mounted(_PROC_MOUNTS, path, MNTS_AUTOFS)) {
	33	+ dev_t devid = ap->dev;
	34	status = CHE_FAIL;
	35	+ if (ap->type == LKP_DIRECT)
	36	+ devid = this->dev;
	37	if (this->ioctlfd == -1)
	38	status = cache_delete(mc, key);
	39	if (status != CHE_FAIL) {
	40	if (ap->type == LKP_INDIRECT) {
	41	if (ap->flags & MOUNT_FLAG_GHOST)
	42	- rmdir_path(ap, path, ap->dev);
	43	+ rmdir_path(ap, path, devid);
	44	} else
	45	- rmdir_path(ap, path, this->dev);
	46	+ rmdir_path(ap, path, devid);
	47	}
	48	}
	49	cache_unlock(mc);