* [PATCH] check for buffer underrun in nss_compat
@ 2004-09-11 21:01 Thorsten Kukuk
2004-09-12 20:39 ` Ulrich Drepper
0 siblings, 1 reply; 2+ messages in thread
From: Thorsten Kukuk @ 2004-09-11 21:01 UTC (permalink / raw)
To: libc-hacker
Hi,
After debugging one crash I found out that there is a case where
buflen is exact zero in nss_compat. Since we work with negative
offsets, this means reading the next line results in memory corruption.
In real life I only saw this with a test suite which uses buffers
of size 1.
Here is a patch to make sure that this will not happen:
2004-09-11 Thorsten Kukuk <kukuk@suse.de>
* nis/nss_compat/compat-grp.c: Check that buflen is greater zero
before writing data into the buffer with negative offset.
* nis/nss_compat/compat-initgroups.c: Likewise.
* nis/nss_compat/compat-pwd.c: Likewise.
* nis/nss_compat/compat-spwd.c Likewise.
--- nis/nss_compat/compat-grp.c 28 Jun 2003 07:58:41 -0000 1.28
+++ nis/nss_compat/compat-grp.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996.
@@ -253,6 +253,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -384,6 +389,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -511,6 +521,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-initgroups.c 19 Aug 2004 21:08:49 -0000 1.16
+++ nis/nss_compat/compat-initgroups.c 11 Sep 2004 20:53:05 -0000
@@ -327,6 +327,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-pwd.c 28 Jun 2003 07:59:28 -0000 1.33
+++ nis/nss_compat/compat-pwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -499,6 +499,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -694,6 +699,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -897,6 +907,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-spwd.c 2 Sep 2003 00:45:13 -0000 1.26
+++ nis/nss_compat/compat-spwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -451,6 +451,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -645,6 +650,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de
SuSE Linux AG Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] check for buffer underrun in nss_compat
2004-09-11 21:01 [PATCH] check for buffer underrun in nss_compat Thorsten Kukuk
@ 2004-09-12 20:39 ` Ulrich Drepper
0 siblings, 0 replies; 2+ messages in thread
From: Ulrich Drepper @ 2004-09-12 20:39 UTC (permalink / raw)
To: Thorsten Kukuk; +Cc: libc-hacker
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I applied the patch. I optimized the code a little bit while doing this.
- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA â–
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFBRLO82ijCOnn/RHQRAqeIAKC3qUWKQBWzrYft9Cb1LxF0oCSaRwCfYEq3
lmqaN6YkvXNMNaEoWC0zcTI=
=wYn8
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-09-12 20:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-09-11 21:01 [PATCH] check for buffer underrun in nss_compat Thorsten Kukuk
2004-09-12 20:39 ` Ulrich Drepper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).