autofs: fix invalid header 'number of entries' in packet

https://fedorahosted.org/sssd/ticket/1739

Pointer to packet body may change while filling packet with autofs
mount points. As a consequence, we sometimes wrote the number of
entries into invalid body and we recieved an arbitrary number
on the client side.

If the number was 0, there were some skipped entries. If the number
was greater than 0, everything worked correctly, because we iterate
through the cached entries until we reach packet length - we don't
compare to the number.

1 files changed, 5 insertions, 1 deletions

diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 550c981a..491afbb1 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
         goto done;
     }
 
+    /* allocate memory for number of entries in the packet */
     ret = sss_packet_grow(client->creq->out, sizeof(uint32_t));
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n"));
         goto done;
     }
 
-    sss_packet_get_body(client->creq->out, &body, &blen);
     rp = sizeof(uint32_t);  /* We'll write the number of entries here */
 
     left = map->entry_count - cursor;
@@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
         nentries++;
     }
 
+    /* packet grows in fill_autofs_entry, body pointer may change,
+     * thus we have to obtain it here */
+    sss_packet_get_body(client->creq->out, &body, &blen);
+
     rp = 0;
     SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);