From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <carlos@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124])
 by sourceware.org (Postfix) with ESMTP id E21293870897
 for <libc-alpha@sourceware.org>; Tue,  2 Mar 2021 17:03:22 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E21293870897
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com
 [209.85.219.70]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-386-wKavGcEiPfuqzvWiVYn7Rw-1; Tue, 02 Mar 2021 12:03:21 -0500
X-MC-Unique: wKavGcEiPfuqzvWiVYn7Rw-1
Received: by mail-qv1-f70.google.com with SMTP id d26so15352006qve.7
 for <libc-alpha@sourceware.org>; Tue, 02 Mar 2021 09:03:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:organization
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=bpvu880pLmnlXk4V7GXY9o/w0oYcrJLZlatjubtixDs=;
 b=gQMQlWyFWxQdHTQwNEsNZcwkNSbdJJZvpfZ7T3cnCvx5xXEwJhKov+VkZttuPahsI3
 juFhPXPT/p7n9LNer3PstKrXrSpUKHpHADrc7Uc7uevoaabmlF90stac35QIH2pFH84Y
 c8hCfuRQJSWchPH7FHAhPUoBvI8gbxJspWw71bDc419cgfdmymEsafAHv9jKtEXxAR1x
 NieLdmLSaMZxOb/ZR/H2nySDAWK/wFign1Q7JU3lBsXL3tviMdeLm9cdLU5KTLNvN4o8
 C/sdkVDdnrw65Lr3+md/TrAs0tfAUQC5974QanzcQDpQeU6paD/+A7lMXiHcKpXHnSya
 Z8Mg==
X-Gm-Message-State: AOAM530KqxM9DEzO2La+0YmDgNO/L/pQMpNWnfkg5DA7I2OoDd40IVIn
 Qw6TOX1syFvcFKghBQgMCH7aLnNgtD8KZu/scFbhjBUfDCt2dYoWiYIEABQMn9PPVMz01mVK3Md
 SSTJM16QKygg9y9auyUDRhYKKSNJ+jtdCHXVb4vJpRPtSJoIPvI4mHbFmPHHOz7pgXs2ACQ==
X-Received: by 2002:a05:6214:194f:: with SMTP id
 q15mr20754129qvk.46.1614704600418; 
 Tue, 02 Mar 2021 09:03:20 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw85oxw6eOEoFQsuK6QTbYnhlf05RE8olSUjLcTd8T5qPF63Zk6OoGtNwEVxe4lP/4XOxliNQ==
X-Received: by 2002:a05:6214:194f:: with SMTP id
 q15mr20754103qvk.46.1614704600076; 
 Tue, 02 Mar 2021 09:03:20 -0800 (PST)
Received: from [192.168.1.16] (198-84-214-74.cpe.teksavvy.com. [198.84.214.74])
 by smtp.gmail.com with ESMTPSA id v187sm15628151qkd.50.2021.03.02.09.03.18
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 02 Mar 2021 09:03:19 -0800 (PST)
Subject: Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
To: DJ Delorie <dj@redhat.com>, libc-alpha@sourceware.org
References: <xnpn0n4zrd.fsf@greed.delorie.com>
From: Carlos O'Donell <carlos@redhat.com>
Organization: Red Hat
Message-ID: <d9fb61e3-28a3-359b-ba42-be91082781a7@redhat.com>
Date: Tue, 2 Mar 2021 12:03:17 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <xnpn0n4zrd.fsf@greed.delorie.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 17:03:24 -0000

On 2/25/21 4:13 PM, DJ Delorie via Libc-alpha wrote:
> 
> In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
> was fixed, but this led to an occasional double-free.  This patch
> tracks the "live" allocation better.
> 
> Tested manually by a third party.

This looks like it should be logically the correct fix. There are only
two xrealloc's that I see that could impact the buffer reuse here and
we need to track the update to the pointer.

LGTM.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

> Related: RHBZ 1927877
> ---
>  nscd/netgroupcache.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
> index dba6ceec1b..ad2daddafd 100644
> --- a/nscd/netgroupcache.c
> +++ b/nscd/netgroupcache.c
> @@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
>  					     : NULL);
>  				    ndomain = (ndomain ? newbuf + ndomaindiff
>  					       : NULL);
> -				    buffer = newbuf;
> +				    *tofreep = buffer = newbuf;
>  				  }
>  
>  				nhost = memcpy (buffer + bufused,
> @@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
>  		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
>  		      {
>  			buflen *= 2;
> -			buffer = xrealloc (buffer, buflen);
> +			*tofreep = buffer = xrealloc (buffer, buflen);
>  		      }
>  		    else if (status == NSS_STATUS_RETURN
>  			     || status == NSS_STATUS_NOTFOUND
> 


-- 
Cheers,
Carlos.