From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2178) id 2C56C3858C98; Thu, 25 Apr 2024 13:55:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2C56C3858C98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1714053312; bh=Kx5fY57PQA4SmnjSQg3ZYzZCCjq1roSyNJ0JPN5cxpc=; h=From:To:Subject:Date:From; b=VJSwHnvnpphY9TVEMz6JSXbAsWFiJJ3i7zHobHz7lLYp/4BN9JFI9FKUP19DGcnzp MmrLe/VGKjZSNHVG5pbvlA1S6Ua1NKyBRBYcLMLJGsuR6YeyNx6CvfWa8xqR55CYZ+ Gilq4PpA9nzDwe9UG8RXMNvec/PjvWPnfdGgPdjY= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.34/master] CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) X-Act-Checkin: glibc X-Git-Author: Florian Weimer X-Git-Refname: refs/heads/release/2.34/master X-Git-Oldrev: 52f73e5c4e29b14e79167272297977f360ae1e97 X-Git-Newrev: 966d6ac9e40222b84bb21674cc4f83c8d72a5a26 Message-Id: <20240425135512.2C56C3858C98@sourceware.org> Date: Thu, 25 Apr 2024 13:55:12 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=966d6ac9e40222b84bb21674cc4f83c8d72a5a26 commit 966d6ac9e40222b84bb21674cc4f83c8d72a5a26 Author: Florian Weimer Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) If we failed to add a not-found response to the cache, the dataset point can be null, resulting in a null pointer dereference. Reviewed-by: Siddhesh Poyarekar (cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa) Diff: --- nscd/netgroupcache.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index f13a11b4c4..08668e96a9 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -148,7 +148,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, /* No such service. */ cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } memset (&data, '\0', sizeof (data)); @@ -349,7 +349,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, { cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } total = buffilled; @@ -411,14 +411,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } if (he == NULL && fd != -1) - { - /* We write the dataset before inserting it to the database - since while inserting this thread might block and so would - unnecessarily let the receiver wait. */ - writeout: + /* We write the dataset before inserting it to the database since + while inserting this thread might block and so would + unnecessarily let the receiver wait. */ writeall (fd, &dataset->resp, dataset->head.recsize); - } + maybe_cache_add: if (cacheable) { /* If necessary, we also propagate the data to disk. */