[Bug nscd/31678] New: nscd: Null pointer dereferences after failed netgroup cache insertion

[Bug nscd/31678] New: nscd: Null pointer dereferences after failed netgroup cache insertion

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

            Bug ID: 31678
           Summary: nscd: Null pointer dereferences after failed netgroup
                    cache insertion
           Product: glibc
           Version: 2.40
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

After a failed cache insertion, addgetnetgrentX tries to send the non-existing
response after the not-found header.

In addinnetgrX, addgetnetgrentX may have produced a NULL result, indicating a
not-found status, but this is not handled in the subsequent code that prepares
the record that will be sent out to the client.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2024-33600
                 CC|                            |carlos at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.40
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.40 via:

commit b048a482f088e53144d26a61c390bed0210f49f2
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Apr 25 15:01:07 2024 +0200

    CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response
(bug 31678)

    The addgetnetgrentX call in addinnetgrX may have failed to produce
    a result, so the result variable in addinnetgrX can be NULL.
    Use db->negtimeout as the fallback value if there is no result data;
    the timeout is also overwritten below.

    Also avoid sending a second not-found response.  (The client
    disconnects after receiving the first response, so the data stream did
    not go out of sync even without this fix.)  It is still beneficial to
    add the negative response to the mapping, so that the client can get
    it from there in the future, instead of going through the socket.

    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Apr 25 15:01:07 2024 +0200

    CVE-2024-33600: nscd: Do not send missing not-found response in
addgetnetgrentX (bug 31678)

    If we failed to add a not-found response to the cache, the dataset
    point can be null, resulting in a null pointer dereference.

    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/31678] nscd: Null pointer dereferences after failed netgroup cache insertion

[carnil at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31678

Salvatore Bonaccorso <carnil at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carnil at debian dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.