From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from hedgehog.birch.relay.mailchannels.net
 (hedgehog.birch.relay.mailchannels.net [23.83.209.81])
 by sourceware.org (Postfix) with ESMTPS id D83053857C7B
 for <libc-stable@sourceware.org>; Mon,  8 Mar 2021 11:31:07 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D83053857C7B
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 5D93E7E2AF0;
 Mon,  8 Mar 2021 11:31:06 +0000 (UTC)
Received: from pdx1-sub0-mail-a30.g.dreamhost.com
 (100-96-27-126.trex.outbound.svc.cluster.local [100.96.27.126])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 7E6D67E29FE;
 Mon,  8 Mar 2021 11:31:05 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a30.g.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384)
 by 100.96.27.126 (trex/6.0.2); Mon, 08 Mar 2021 11:31:06 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Harmony-Power: 61cd30022ac9e3f3_1615203066108_560902404
X-MC-Loop-Signature: 1615203066108:920003708
X-MC-Ingress-Time: 1615203066108
Received: from pdx1-sub0-mail-a30.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTP id 414D57E694;
 Mon,  8 Mar 2021 03:31:05 -0800 (PST)
Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 9CAA47F045;
 Mon,  8 Mar 2021 03:31:03 -0800 (PST)
X-DH-BACKEND: pdx1-sub0-mail-a30
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-stable@sourceware.org
Cc: DJ Delorie <dj@redhat.com>,
	Carlos O'Donell <carlos@redhat.com>
Subject: [COMMITTED 2.28-2.33] nscd: Fix double free in netgroupcache [BZ
 #27462]
Date: Mon,  8 Mar 2021 16:59:47 +0530
Message-Id: <20210308112947.460163-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-3495.1 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 11:31:09 -0000

From: DJ Delorie <dj@redhat.com>

In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
was fixed, but this led to an occasional double-free.  This patch
tracks the "live" allocation better.

Tested manually by a third party.

Related: RHBZ 1927877

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit dca565886b5e8bd7966e15f0ca42ee5cff686673)
---
 nscd/netgroupcache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index dba6ceec1b..ad2daddafd 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, req=
uest_header *req,
 					     : NULL);
 				    ndomain =3D (ndomain ? newbuf + ndomaindiff
 					       : NULL);
-				    buffer =3D newbuf;
+				    *tofreep =3D buffer =3D newbuf;
 				  }
=20
 				nhost =3D memcpy (buffer + bufused,
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, req=
uest_header *req,
 		    else if (status =3D=3D NSS_STATUS_TRYAGAIN && e =3D=3D ERANGE)
 		      {
 			buflen *=3D 2;
-			buffer =3D xrealloc (buffer, buflen);
+			*tofreep =3D buffer =3D xrealloc (buffer, buflen);
 		      }
 		    else if (status =3D=3D NSS_STATUS_RETURN
 			     || status =3D=3D NSS_STATUS_NOTFOUND
--=20
2.29.2