public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings Date: Wed, 24 Apr 2024 11:53:14 +0000 [thread overview] Message-ID: <bug-31680-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Bug ID: 31680 Summary: nscd: netgroup cache assumes NSS callback uses in-buffer strings Product: glibc Version: 2.40 Status: NEW Severity: normal Priority: P2 Component: nscd Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security+ The buffer-resizing code in addgetnetgrentX assumes that all string pointers point into the supplied buffer: const char *nhost = data.val.triple.host; const char *nuser = data.val.triple.user; const char *ndomain = data.val.triple.domain; size_t hostlen = strlen (nhost ?: "") + 1; size_t userlen = strlen (nuser ?: "") + 1; size_t domainlen = strlen (ndomain ?: "") + 1; if (nhost == NULL || nuser == NULL || ndomain == NULL || nhost > nuser || nuser > ndomain) { const char *last = nhost; if (last == NULL || (nuser != NULL && nuser > last)) last = nuser; if (last == NULL || (ndomain != NULL && ndomain > last)) last = ndomain; size_t bufused = (last == NULL ? buffilled : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ size_t needed = hostlen + userlen + domainlen; if (buflen - req->key_len - bufused < needed) { buflen += MAX (buflen, 2 * needed); /* Save offset in the old buffer. We don't bother with the NULL check here since we'll do that later anyway. */ size_t nhostdiff = nhost - buffer; size_t nuserdiff = nuser - buffer; size_t ndomaindiff = ndomain - buffer; char *newbuf = xrealloc (buffer, buflen); /* Fix up the triplet pointers into the new buffer. */ nhost = (nhost ? newbuf + nhostdiff : NULL); nuser = (nuser ? newbuf + nuserdiff : NULL); ndomain = (ndomain ? newbuf + ndomaindiff : NULL); *tofreep = buffer = newbuf; } I do not think this is implied by the NSS API contract. We should simplify this code to use two buffers that are resized separately. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2024-04-24 11:53 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-04-24 11:53 fweimer at redhat dot com [this message] 2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com 2024-04-24 20:36 ` carlos at redhat dot com 2024-04-25 13:35 ` fweimer at redhat dot com 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-31680-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).