This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] Fix SEGV in nscd with only one remaining file descriptor
- From: Guillaume Chazarain <guichaz at yahoo dot fr>
- To: libc-alpha at sourceware dot org
- Date: Tue, 29 May 2007 15:02:12 +0200
- Subject: [PATCH] Fix SEGV in nscd with only one remaining file descriptor
Hi,
Running programs with only one free file descriptor, like:
ulimit -n 4
ls -l /
produces a SEGV in the nscd client code:
Core was generated by `ls -l /'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000032c9efe781 in get_mapping (type=<value optimized out>,
key=0x32c9f18b15 "passwd", mappedp=0x32ca14c888) at nscd_helper.c:245
245 if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
(gdb) p msg
$1 = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0x7fff3990a460,
msg_iovlen = 1, msg_control = 0x7fff3990a440, msg_controllen = 0,
msg_flags = 8}
msg_controllen is 0 so (CMSG_FIRSTHDR (&msg) is NULL.
The attached patch fixes this bug by checking CMSG_FIRSTHDR (&msg).
Thanks.
--
Guillaume
--- glibc-2.6-orig/nscd/nscd_helper.c
+++ glibc-2.6/nscd/nscd_helper.c
@@ -271,6 +271,9 @@ get_mapping (request_type type, const ch
mapfd = *(int *) CMSG_DATA (cmsg);
+ if (__builtin_expect (!CMSG_FIRSTHDR (&msg), 0))
+ goto out_close;
+
if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
!= CMSG_LEN (sizeof (int)), 0))
goto out_close;