From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5885 invoked by alias); 8 Jun 2004 16:31:34 -0000 Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-hacker-owner@sources.redhat.com Received: (qmail 5848 invoked from network); 8 Jun 2004 16:31:33 -0000 Received: from unknown (HELO sunsite.ms.mff.cuni.cz) (195.113.15.26) by sourceware.org with SMTP; 8 Jun 2004 16:31:33 -0000 Received: from sunsite.ms.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1]) by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id i58EHW3j007701; Tue, 8 Jun 2004 16:17:32 +0200 Received: (from jakub@localhost) by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8/Submit) id i58EHVxH007698; Tue, 8 Jun 2004 16:17:31 +0200 Date: Tue, 08 Jun 2004 16:31:00 -0000 From: Jakub Jelinek To: Ulrich Drepper , Roland McGrath Cc: Glibc hackers Subject: [PATCH] Fix a possible buffer overflow in crypt (in lowmem situation only), fix lowmem handling in chroot_canon Message-ID: <20040608141731.GG5191@sunsite.ms.mff.cuni.cz> Reply-To: Jakub Jelinek Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-SW-Source: 2004-06/txt/msg00009.txt.bz2 Hi! 2004-06-08 Jakub Jelinek [BZ #199] * crypt/md5-crypt.c (__md5_crypt): Only update buflen if realloc succeeds. Reported by Miles Ohlrich . * elf/chroot_canon.c (chroot_canon): Avoid segfault if first malloc fails. Avoid memory leak if realloc fails. --- libc/crypt/md5-crypt.c.jj 2002-11-11 03:43:28.000000000 +0100 +++ libc/crypt/md5-crypt.c 2004-06-08 17:47:10.132492169 +0200 @@ -1,6 +1,7 @@ /* One way encryption based on MD5 sum. Compatible with the behavior of MD5 crypt introduced in FreeBSD 2.0. - Copyright (C) 1996,1997,1999,2000,2001,2002 Free Software Foundation, Inc. + Copyright (C) 1996, 1997, 1999, 2000, 2001, 2002, 2004 + Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Ulrich Drepper , 1996. @@ -250,15 +251,12 @@ __md5_crypt (const char *key, const char if (buflen < needed) { - char *new_buffer; - - buflen = needed; - - new_buffer = (char *) realloc (buffer, buflen); + char *new_buffer = (char *) realloc (buffer, needed); if (new_buffer == NULL) return NULL; buffer = new_buffer; + buflen = needed; } return __md5_crypt_r (key, salt, buffer, buflen); --- libc/elf/chroot_canon.c.jj 2001-12-29 16:57:13.000000000 +0100 +++ libc/elf/chroot_canon.c 2004-06-08 18:05:45.556593648 +0200 @@ -1,5 +1,6 @@ /* Return the canonical absolute name of a given file inside chroot. - Copyright (C) 1996,1997,1998,1999,2000,2001 Free Software Foundation, Inc. + Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2004 + Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -59,6 +60,9 @@ chroot_canon (const char *chroot, const } rpath = malloc (chroot_len + PATH_MAX); + if (rpath == NULL) + return NULL; + rpath_limit = rpath + chroot_len + PATH_MAX; rpath_root = (char *) mempcpy (rpath, chroot, chroot_len) - 1; @@ -108,7 +112,7 @@ chroot_canon (const char *chroot, const new_size += PATH_MAX; new_rpath = (char *) realloc (rpath, new_size); if (new_rpath == NULL) - return NULL; + goto error; rpath = new_rpath; rpath_limit = rpath + new_size; Jakub