diff -Nurp autofs-4.1.4.orig/lib/cache.c autofs-4.1.4/lib/cache.c --- autofs-4.1.4.orig/lib/cache.c 2005-02-06 14:00:53.000000000 +0800 +++ autofs-4.1.4/lib/cache.c 2005-05-07 17:29:21.000000000 +0800 @@ -337,8 +337,10 @@ void cache_clean(const char *root, time_ if (!path) return; - if (is_mounted(_PATH_MOUNTED, path)) + if (is_mounted(_PATH_MOUNTED, path)) { + free(path); continue; + } if (me->age < age) { mapent_hash[i] = me->next; diff -Nurp autofs-4.1.4.orig/modules/lookup_file.c autofs-4.1.4/modules/lookup_file.c --- autofs-4.1.4.orig/modules/lookup_file.c 2005-04-06 23:14:23.000000000 +0800 +++ autofs-4.1.4/modules/lookup_file.c 2005-05-07 17:27:30.000000000 +0800 @@ -157,6 +157,10 @@ static int read_one(FILE *f, char *key, break; case st_compare: + if (kptr - key > KEY_MAX_LEN) { + state = st_badent; + break; + } if (ch == '\n') state = st_begin; else if (isspace(ch) && !escape) { diff -Nurp autofs-4.1.4.orig/modules/parse_sun.c autofs-4.1.4/modules/parse_sun.c --- autofs-4.1.4.orig/modules/parse_sun.c 2005-05-07 17:39:44.000000000 +0800 +++ autofs-4.1.4/modules/parse_sun.c 2005-05-07 17:35:27.000000000 +0800 @@ -680,6 +680,10 @@ static int sun_mount(const char *root, c "mounting root %s, mountpoint %s, what %s, fstype %s, options %s\n", root, mountpoint, what, fstype, options); + /* A malformed entry of the form key /xyz will trigger this case */ + if (!what || *what == '\0') + return 1; + if (!strcmp(fstype, "nfs")) { rv = mount_nfs->mount_mount(root, mountpoint, strlen(mountpoint), what, fstype, options, mount_nfs->context); @@ -695,6 +699,18 @@ static int sun_mount(const char *root, c return rv; } +static int key_exists(struct multi_mnt *list, char *path, int pathlen) +{ + struct multi_mnt *mmptr = list; + + while (mmptr && pathlen == strlen(mmptr->path)) { + if (!strncmp(mmptr->path, path, pathlen)) + return 1; + mmptr = mmptr->next; + } + return 0; +} + /* * Build list of mounts in shortest -> longest order. * Pass in list head and return list head. @@ -725,6 +741,12 @@ struct multi_mnt *multi_add_list(struct mmptr = mmptr->next; } + /* if a multimount entry has duplicate keys, it is invalid */ + if (key_exists(mmptr, path, plen)) { + free(new); + return NULL; + } + if (old) old->next = new; new->next = mmptr;