This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nscd/16185] nscd/pwdcache.c (cache_addpw): Possible allocate DATASET outside of the stack if it's too large

From: "nbthang_bk at yahoo dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 20 Nov 2013 16:13:51 +0000
Subject: [Bug nscd/16185] nscd/pwdcache.c (cache_addpw): Possible allocate DATASET outside of the stack if it's too large
Auto-submitted: auto-generated
References: <bug-16185-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=16185

--- Comment #4 from bathang <nbthang_bk at yahoo dot com> ---
In following piece of code in pwdcache.c

const size_t buf_len = 3 * sizeof (pwd->pw_uid) + key_len + 1;
char *buf = alloca (buf_len);
ssize_t n;

/* We need this to insert the `byuid' entry.  */
int key_offset;
n = snprintf (buf, buf_len, "%d%c%n%s", pwd->pw_uid, '\0',
            &key_offset, (char *) key) + 1;

if there's a large dataset (pwd), the buf length can become very large and
alloca tried to allocate this buffer on function stack. Later, snprintf tried
to write string value to buffer which is allocated outside of stack. So I think
we'll then get this error ".. in writable segment detected".

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug nscd/16185] New: nscd/pwdcache.c (cache_addpw): Possible allocate DATASET outside of the stack if it's too large
  - From: nbthang_bk at yahoo dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]