A friend of mine was kind enough to run some analysis for me. A couple of
problems jumped out immediately.
991 static char *make_fullpath(const char *root, const char *key)
...
1000 path = malloc(l);
1001 strcpy(path, key);
...
1006 path = malloc(l);
1007 sprintf(path, "%s/%s", root, key);
Those are unchecked malloc(3) calls. How would you prefer to handle
failures?
1012 int lookup_prune_cache(struct autofs_point *ap, time_t age)
...
1075 cache_unlock(mc);
1076 free(key);
1077 if (next_key)
1078 free(next_key);
1079 free(path);
1080 goto next;
...
1103 next:
1104 cache_readlock(mc);
1105 me = cache_lookup_distinct(mc, next_key);
1106 free(key);
1107 free(path);
1108 free(next_key);
Those are double free(3) calls. Oh, and `next_key' is used after being
freed.
_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs
