diff options
author | Siddhesh Poyarekar <siddhesh@redhat.com> | 2014-01-27 11:32:44 +0530 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@redhat.com> | 2014-01-27 11:32:44 +0530 |
commit | af37a8a3496327a6e5617a2c76f17aa1e8db835e (patch) | |
tree | 20fcea9ef0d2c17620c801b4c990259565cce399 | |
parent | 0c00f062dd97e4ebb3244147fc5af962aba53c7e (diff) | |
download | glibc-af37a8a3496327a6e5617a2c76f17aa1e8db835e.zip glibc-af37a8a3496327a6e5617a2c76f17aa1e8db835e.tar.gz glibc-af37a8a3496327a6e5617a2c76f17aa1e8db835e.tar.bz2 |
Avoid undefined behaviour in netgroupcache
Using a buffer after it has been reallocated is undefined behaviour,
so get offsets of the triplets in the old buffer before reallocating
it.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | nscd/netgroupcache.c | 16 |
2 files changed, 16 insertions, 5 deletions
@@ -1,3 +1,8 @@ +2014-01-27 Siddhesh Poyarekar <siddhesh@redhat.com> + + * nscd/netgroupcache.c (addgetnetgrentX): Compute offset from + the old buffer before realloc. + 2014-01-27 Allan McRae <allan@archlinux.org> * po/fr.po: Update French translation from translation project. diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 924567c..be01fe8 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -241,15 +241,21 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, if (buflen - req->key_len - bufused < needed) { buflen += MAX (buflen, 2 * needed); + /* Save offset in the old buffer. We don't + bother with the NULL check here since + we'll do that later anyway. */ + size_t nhostdiff = nhost - buffer; + size_t nuserdiff = nuser - buffer; + size_t ndomaindiff = ndomain - buffer; + char *newbuf = xrealloc (buffer, buflen); - /* Adjust the pointers in the new + /* Fix up the triplet pointers into the new buffer. */ - nhost = (nhost ? newbuf + (nhost - buffer) + nhost = (nhost ? newbuf + nhostdiff : NULL); - nuser = (nuser ? newbuf + (nuser - buffer) + nuser = (nuser ? newbuf + nuserdiff : NULL); - ndomain = (ndomain - ? newbuf + (ndomain - buffer) + ndomain = (ndomain ? newbuf + ndomaindiff : NULL); buffer = newbuf; } |