From: Thorsten Kukuk <kukuk@suse.de>
To: libc-hacker@sources.redhat.com
Subject: [PATCH] check for buffer underrun in nss_compat
Date: Sat, 11 Sep 2004 21:01:00 -0000 [thread overview]
Message-ID: <20040911210141.GA6448@suse.de> (raw)
Hi,
After debugging one crash I found out that there is a case where
buflen is exact zero in nss_compat. Since we work with negative
offsets, this means reading the next line results in memory corruption.
In real life I only saw this with a test suite which uses buffers
of size 1.
Here is a patch to make sure that this will not happen:
2004-09-11 Thorsten Kukuk <kukuk@suse.de>
* nis/nss_compat/compat-grp.c: Check that buflen is greater zero
before writing data into the buffer with negative offset.
* nis/nss_compat/compat-initgroups.c: Likewise.
* nis/nss_compat/compat-pwd.c: Likewise.
* nis/nss_compat/compat-spwd.c Likewise.
--- nis/nss_compat/compat-grp.c 28 Jun 2003 07:58:41 -0000 1.28
+++ nis/nss_compat/compat-grp.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996.
@@ -253,6 +253,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -384,6 +389,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -511,6 +521,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-initgroups.c 19 Aug 2004 21:08:49 -0000 1.16
+++ nis/nss_compat/compat-initgroups.c 11 Sep 2004 20:53:05 -0000
@@ -327,6 +327,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-pwd.c 28 Jun 2003 07:59:28 -0000 1.33
+++ nis/nss_compat/compat-pwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -499,6 +499,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -694,6 +699,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -897,6 +907,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-spwd.c 2 Sep 2003 00:45:13 -0000 1.26
+++ nis/nss_compat/compat-spwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -451,6 +451,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -645,6 +650,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de
SuSE Linux AG Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
next reply other threads:[~2004-09-11 21:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-11 21:01 Thorsten Kukuk [this message]
2004-09-12 20:39 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040911210141.GA6448@suse.de \
--to=kukuk@suse.de \
--cc=libc-hacker@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).