diff options
author | Siddhesh Poyarekar <siddhesh@redhat.com> | 2014-03-12 17:27:22 +0530 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2014-09-05 22:44:10 +1000 |
commit | 4e27332819b6151ccb5031d0efd718d802168573 (patch) | |
tree | c29dabaac78deb39c6904c3d726425d5cb97f2fd | |
parent | 9583c3542133be925467c87df7f74882783d867d (diff) | |
download | glibc-4e27332819b6151ccb5031d0efd718d802168573.zip glibc-4e27332819b6151ccb5031d0efd718d802168573.tar.gz glibc-4e27332819b6151ccb5031d0efd718d802168573.tar.bz2 |
Provide correct buffer length to netgroup queries in nscd (BZ #16695)
The buffer to query netgroup entries is allocated sufficient space for
the netgroup entries and the key to be appended at the end, but it
sends in an incorrect available length to the NSS netgroup query
functions, resulting in overflow of the buffer in some special cases.
The fix here is to factor in the key length when sending the available
buffer and buffer length to the query functions.
(cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)
Conflicts:
NEWS
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | nscd/netgroupcache.c | 2 |
3 files changed, 9 insertions, 3 deletions
@@ -1,3 +1,9 @@ +2014-03-12 Siddhesh Poyarekar <siddhesh@redhat.com> + + [BZ #16695] + * nscd/netgroupcache.c (addgetnetgrentX): Factor in space for + key in the buffer. + 2014-06-20 Maciej W. Rozycki <macro@codesourcery.com> [BZ #16046] @@ -9,8 +9,8 @@ Version 2.19.1 * The following bugs are resolved with this release: - 15946, 16545, 16574, 16623, 16882, 16885, 16916, 16932, 16943, 16958, - 17048, 17069. + 15946, 16545, 16574, 16623, 16695, 16882, 16885, 16916, 16932, 16943, + 16958, 17048, 17069. * CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not copy the path argument. This allowed programs to cause posix_spawn to diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index be01fe8..fe7fc75 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -202,7 +202,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, { int e; status = getfct.f (&data, buffer + buffilled, - buflen - buffilled, &e); + buflen - buffilled - req->key_len, &e); if (status == NSS_STATUS_RETURN || status == NSS_STATUS_NOTFOUND) /* This was either the last one for this group or the |