From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2178) id 0AD7C3858C98; Thu, 25 Apr 2024 14:10:29 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0AD7C3858C98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1714054229; bh=Ty+ZsX1aOTpl1+CgPKf7VlhhccEYvHiQGM5mUtK1ttk=; h=From:To:Subject:Date:From; b=KSQnw4/nFJmByEmfK8Dxl4BwML3G7afVzrByILVpN1t5S0Q0YsLwB+k4TDfqNS6q4 3L/H9wA8Ueg0j60NtqeS6L5DiV4weNkekPsNUNY9DMN8rbEMfN8oeatz612lhFXTT8 6QBDNXs97IGML2bzmjk0+neve52GiJfkySAjXudo= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.33/master] CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) X-Act-Checkin: glibc X-Git-Author: Florian Weimer X-Git-Refname: refs/heads/release/2.33/master X-Git-Oldrev: f20a8d696b13c6261b52a6434899121f8b19d5a7 X-Git-Newrev: e3eef1b8fbdd3a7917af466ca9c4b7477251ca79 Message-Id: <20240425141029.0AD7C3858C98@sourceware.org> Date: Thu, 25 Apr 2024 14:10:29 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3eef1b8fbdd3a7917af466ca9c4b7477251ca79 commit e3eef1b8fbdd3a7917af466ca9c4b7477251ca79 Author: Florian Weimer Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) The addgetnetgrentX call in addinnetgrX may have failed to produce a result, so the result variable in addinnetgrX can be NULL. Use db->negtimeout as the fallback value if there is no result data; the timeout is also overwritten below. Also avoid sending a second not-found response. (The client disconnects after receiving the first response, so the data stream did not go out of sync even without this fix.) It is still beneficial to add the negative response to the mapping, so that the client can get it from there in the future, instead of going through the socket. Reviewed-by: Siddhesh Poyarekar (cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2) Diff: --- nscd/netgroupcache.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index f2e7d60b50..aa9501a2c0 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -512,14 +512,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, sizeof (innetgroup_response_header), - he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); + he == NULL ? 0 : dh->nreloads + 1, + result == NULL ? db->negtimeout : result->head.ttl); /* Set the notfound status and timeout based on the result from getnetgrent. */ - dataset->head.notfound = result->head.notfound; + dataset->head.notfound = result == NULL || result->head.notfound; dataset->head.timeout = timeout; dataset->resp.version = NSCD_VERSION; - dataset->resp.found = result->resp.found; + dataset->resp.found = result != NULL && result->resp.found; /* Until we find a matching entry the result is 0. */ dataset->resp.result = 0; @@ -567,7 +568,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, goto out; } - if (he == NULL) + /* addgetnetgrentX may have already sent a notfound response. Do + not send another one. */ + if (he == NULL && dataset->resp.found) { /* We write the dataset before inserting it to the database since while inserting this thread might block and so would