From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 75247384AB6D; Wed, 24 Apr 2024 11:53:15 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 75247384AB6D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1713959595; bh=rQNIcBFydEgrGVFwm1hm/eQ/ZDw6gH+hQHsl2Uo3ydk=; h=From:To:Subject:Date:From; b=jh+jItacIapoFLjR7Eg14r6//wJHH+MFtFc6hALEaue2Kfd0SovpdQQ50ErLxLJqp 0AqEdO2kNIIKIaVHgVwe0X2lN7/J2J5ycHcXFiXXrGx0swkhbnjZB/nHnMJI85+bfy fIr3Q+IJhgUAkJjtMiCj2Iv2SJsnW8a/nLKch49Y= From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings Date: Wed, 24 Apr 2024 11:53:14 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nscd X-Bugzilla-Version: 2.40 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31680 Bug ID: 31680 Summary: nscd: netgroup cache assumes NSS callback uses in-buffer strings Product: glibc Version: 2.40 Status: NEW Severity: normal Priority: P2 Component: nscd Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security+ The buffer-resizing code in addgetnetgrentX assumes that all string pointers point into the supplied buffer: const char *nhost =3D data.val.triple.host; const char *nuser =3D data.val.triple.user; const char *ndomain =3D data.val.triple.domain; size_t hostlen =3D strlen (nhost ?: "") + 1; size_t userlen =3D strlen (nuser ?: "") + 1; size_t domainlen =3D strlen (ndomain ?: "") + 1; if (nhost =3D=3D NULL || nuser =3D=3D NULL || n= domain =3D=3D NULL || nhost > nuser || nuser > ndomain) { const char *last =3D nhost; if (last =3D=3D NULL || (nuser !=3D NULL && nuser > last)) last =3D nuser; if (last =3D=3D NULL || (ndomain !=3D NULL && ndomain > last= )) last =3D ndomain; size_t bufused =3D (last =3D=3D NULL ? buffilled : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ size_t needed =3D hostlen + userlen + domai= nlen; if (buflen - req->key_len - bufused < neede= d) { buflen +=3D MAX (buflen, 2 * needed); /* Save offset in the old buffer. We d= on't bother with the NULL check here since we'll do that later anyway. */ size_t nhostdiff =3D nhost - buffer; size_t nuserdiff =3D nuser - buffer; size_t ndomaindiff =3D ndomain - buffer; char *newbuf =3D xrealloc (buffer, bufl= en); /* Fix up the triplet pointers into the= new buffer. */ nhost =3D (nhost ? newbuf + nhostdiff : NULL); nuser =3D (nuser ? newbuf + nuserdiff : NULL); ndomain =3D (ndomain ? newbuf + ndomain= diff : NULL); *tofreep =3D buffer =3D newbuf; } I do not think this is implied by the NSS API contract. We should simplify = this code to use two buffers that are resized separately. --=20 You are receiving this mail because: You are on the CC list for the bug.=