From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 37E7F3844744; Thu, 25 Apr 2024 13:36:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 37E7F3844744 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1714052172; bh=vEueSEdqdJ6gDqwqwUYYU30qNdtp1RhaO1jGw9zWuzA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=RIok3Z6qo3arx5rDl8s5DkB9aP9pEuF7A+MPmOZxZ7/A8ne4tAG5mP6qVBdnHabhs CsBY6jAccCiAqT2TIJR3OMadLF/LacdDT+9/T3/gu1x/jtjwAxLp6m4GwNudgmsLPb Shxz47sLUJz6PlSF3SI5t9u5x+8+gUmqjUSi3zds= From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion Date: Thu, 25 Apr 2024 13:36:11 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nscd X-Bugzilla-Version: 2.40 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: 2.40 X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: target_milestone resolution bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31678 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.40 Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #1 from Florian Weimer --- Fixed for glibc 2.40 via: commit b048a482f088e53144d26a61c390bed0210f49f2 Author: Florian Weimer Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) The addgetnetgrentX call in addinnetgrX may have failed to produce a result, so the result variable in addinnetgrX can be NULL. Use db->negtimeout as the fallback value if there is no result data; the timeout is also overwritten below. Also avoid sending a second not-found response. (The client disconnects after receiving the first response, so the data stream did not go out of sync even without this fix.) It is still beneficial to add the negative response to the mapping, so that the client can get it from there in the future, instead of going through the socket. Reviewed-by: Siddhesh Poyarekar commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa Author: Florian Weimer Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) If we failed to add a not-found response to the cache, the dataset point can be null, resulting in a null pointer dereference. Reviewed-by: Siddhesh Poyarekar --=20 You are receiving this mail because: You are on the CC list for the bug.=