diff options
| author | Siddhesh Poyarekar <siddhesh@redhat.com> | 2014-03-27 19:48:15 +0530 |
|---|---|---|
| committer | Siddhesh Poyarekar <siddhesh@redhat.com> | 2014-03-27 19:48:15 +0530 |
| commit | ea7d8b95e2fcb81f68b04ed7787a3dbda023991a (patch) | |
| tree | 20e3018b10da00729cd8a8feec1e2265b173c321 | |
| parent | df5b85da90915ce6208ad737807e3d8f2a8fce87 (diff) | |
| download | glibc-ea7d8b95e2fcb81f68b04ed7787a3dbda023991a.zip glibc-ea7d8b95e2fcb81f68b04ed7787a3dbda023991a.tar.gz glibc-ea7d8b95e2fcb81f68b04ed7787a3dbda023991a.tar.bz2 | |
Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)
Calls to stpcpy from nscd netgroups code will have overlapping source
and destination when all three values in the returned triplet are
non-NULL and in the expected (host,user,domain) order. This is seen
in valgrind as:
==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48)
==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3181== by 0x12567A: addgetnetgrentX (string3.h:111)
==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665)
==3181== by 0x11114C: nscd_run_worker (connections.c:1338)
==3181== by 0x4E3C102: start_thread (pthread_create.c:309)
==3181== by 0x59B81AC: clone (clone.S:111)
==3181==
Fix this by using memmove instead of stpcpy.
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | nscd/netgroupcache.c | 16 |
3 files changed, 17 insertions, 7 deletions
@@ -1,3 +1,9 @@ +2014-03-27 Siddhesh Poyarekar <siddhesh@redhat.com> + + [BZ #16760] + * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead + of stpcpy. + 2014-03-27 Andi Kleen <ak@linux.intel.com> * nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.h (lll_lock, @@ -12,7 +12,7 @@ Version 2.20 15347, 15804, 15894, 16002, 16198, 16284, 16357, 16447, 16532, 16545, 16574, 16599, 16600, 16609, 16610, 16611, 16613, 16623, 16632, 16634, 16639, 16642, 16649, 16670, 16674, 16677, 16680, 16683, 16689, 16695, - 16701, 16706, 16707, 16712, 16713, 16714, 16731, 16743, 16758. + 16701, 16706, 16707, 16712, 16713, 16714, 16731, 16743, 16758, 16760. * Running the testsuite no longer terminates as soon as a test fails. Instead, a file tests.sum (xtests.sum from "make xcheck") is generated, diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 5d15aa4..820d823 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -216,6 +216,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, const char *nuser = data.val.triple.user; const char *ndomain = data.val.triple.domain; + size_t hostlen = strlen (nhost ?: "") + 1; + size_t userlen = strlen (nuser ?: "") + 1; + size_t domainlen = strlen (ndomain ?: "") + 1; + if (nhost == NULL || nuser == NULL || ndomain == NULL || nhost > nuser || nuser > ndomain) { @@ -233,9 +237,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ - size_t hostlen = strlen (nhost ?: "") + 1; - size_t userlen = strlen (nuser ?: "") + 1; - size_t domainlen = strlen (ndomain ?: "") + 1; size_t needed = hostlen + userlen + domainlen; if (buflen - req->key_len - bufused < needed) @@ -269,9 +270,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } char *wp = buffer + buffilled; - wp = stpcpy (wp, nhost) + 1; - wp = stpcpy (wp, nuser) + 1; - wp = stpcpy (wp, ndomain) + 1; + wp = memmove (wp, nhost ?: "", hostlen); + wp += hostlen; + wp = memmove (wp, nuser ?: "", userlen); + wp += userlen; + wp = memmove (wp, ndomain ?: "", domainlen); + wp += domainlen; buffilled = wp - buffer; ++nentries; } |