From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>, Roland McGrath <roland@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix a possible buffer overflow in crypt (in lowmem situation only), fix lowmem handling in chroot_canon
Date: Tue, 08 Jun 2004 16:31:00 -0000 [thread overview]
Message-ID: <20040608141731.GG5191@sunsite.ms.mff.cuni.cz> (raw)
Hi!
2004-06-08 Jakub Jelinek <jakub@redhat.com>
[BZ #199]
* crypt/md5-crypt.c (__md5_crypt): Only update buflen if realloc
succeeds. Reported by Miles Ohlrich <miles@cray.com>.
* elf/chroot_canon.c (chroot_canon): Avoid segfault if first malloc
fails. Avoid memory leak if realloc fails.
--- libc/crypt/md5-crypt.c.jj 2002-11-11 03:43:28.000000000 +0100
+++ libc/crypt/md5-crypt.c 2004-06-08 17:47:10.132492169 +0200
@@ -1,6 +1,7 @@
/* One way encryption based on MD5 sum.
Compatible with the behavior of MD5 crypt introduced in FreeBSD 2.0.
- Copyright (C) 1996,1997,1999,2000,2001,2002 Free Software Foundation, Inc.
+ Copyright (C) 1996, 1997, 1999, 2000, 2001, 2002, 2004
+ Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
@@ -250,15 +251,12 @@ __md5_crypt (const char *key, const char
if (buflen < needed)
{
- char *new_buffer;
-
- buflen = needed;
-
- new_buffer = (char *) realloc (buffer, buflen);
+ char *new_buffer = (char *) realloc (buffer, needed);
if (new_buffer == NULL)
return NULL;
buffer = new_buffer;
+ buflen = needed;
}
return __md5_crypt_r (key, salt, buffer, buflen);
--- libc/elf/chroot_canon.c.jj 2001-12-29 16:57:13.000000000 +0100
+++ libc/elf/chroot_canon.c 2004-06-08 18:05:45.556593648 +0200
@@ -1,5 +1,6 @@
/* Return the canonical absolute name of a given file inside chroot.
- Copyright (C) 1996,1997,1998,1999,2000,2001 Free Software Foundation, Inc.
+ Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2004
+ Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -59,6 +60,9 @@ chroot_canon (const char *chroot, const
}
rpath = malloc (chroot_len + PATH_MAX);
+ if (rpath == NULL)
+ return NULL;
+
rpath_limit = rpath + chroot_len + PATH_MAX;
rpath_root = (char *) mempcpy (rpath, chroot, chroot_len) - 1;
@@ -108,7 +112,7 @@ chroot_canon (const char *chroot, const
new_size += PATH_MAX;
new_rpath = (char *) realloc (rpath, new_size);
if (new_rpath == NULL)
- return NULL;
+ goto error;
rpath = new_rpath;
rpath_limit = rpath + new_size;
Jakub
next reply other threads:[~2004-06-08 16:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-08 16:31 Jakub Jelinek [this message]
2004-06-10 2:16 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040608141731.GG5191@sunsite.ms.mff.cuni.cz \
--to=jakub@redhat.com \
--cc=drepper@redhat.com \
--cc=libc-hacker@sources.redhat.com \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).