From: Carlos O'Donell <carlos@redhat.com>
To: DJ Delorie <dj@redhat.com>, libc-alpha@sourceware.org
Subject: Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
Date: Tue, 2 Mar 2021 12:03:17 -0500 [thread overview]
Message-ID: <d9fb61e3-28a3-359b-ba42-be91082781a7@redhat.com> (raw)
In-Reply-To: <xnpn0n4zrd.fsf@greed.delorie.com>
On 2/25/21 4:13 PM, DJ Delorie via Libc-alpha wrote:
>
> In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
> was fixed, but this led to an occasional double-free. This patch
> tracks the "live" allocation better.
>
> Tested manually by a third party.
This looks like it should be logically the correct fix. There are only
two xrealloc's that I see that could impact the buffer reuse here and
we need to track the update to the pointer.
LGTM.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> Related: RHBZ 1927877
> ---
> nscd/netgroupcache.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
> index dba6ceec1b..ad2daddafd 100644
> --- a/nscd/netgroupcache.c
> +++ b/nscd/netgroupcache.c
> @@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> : NULL);
> ndomain = (ndomain ? newbuf + ndomaindiff
> : NULL);
> - buffer = newbuf;
> + *tofreep = buffer = newbuf;
> }
>
> nhost = memcpy (buffer + bufused,
> @@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
> {
> buflen *= 2;
> - buffer = xrealloc (buffer, buflen);
> + *tofreep = buffer = xrealloc (buffer, buflen);
> }
> else if (status == NSS_STATUS_RETURN
> || status == NSS_STATUS_NOTFOUND
>
--
Cheers,
Carlos.
next prev parent reply other threads:[~2021-03-02 17:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 21:13 DJ Delorie
2021-03-01 7:48 ` Siddhesh Poyarekar
2021-03-02 17:38 ` DJ Delorie
2021-03-02 17:03 ` Carlos O'Donell [this message]
2021-03-03 12:19 ` Andreas Schwab
2021-03-03 17:11 ` DJ Delorie
2021-03-03 17:48 ` Andreas Schwab
2021-03-03 19:55 ` [PATCH v1] NEWS: Add entry for CVE-2021-27645 DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d9fb61e3-28a3-359b-ba42-be91082781a7@redhat.com \
--to=carlos@redhat.com \
--cc=dj@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).