This is the mail archive of the libc-hacker@sourceware.cygnus.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
>
> hjl@varesearch.com (H.J. Lu) writes:
>
> > Here is a patch for the out-of-buffer bug in nscd. Thorsten, could
> > you please double check other nscd functions?
>
> This is completely unnecessary. There is a test (line 150).
>
That is very strange. In my glibc source code, starting from line 150:
if (buflen < (align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *)
+ gr_resp.gr_name_len + gr_resp.gr_passwd_len))
{
no_room:
__set_errno (ERANGE);
__close (sock);
return ERANGE;
}
.....
buflen -= align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *);
.....
total_len = gr_resp.gr_mem_cnt * sizeof (size_t);
.....
total_len += gr_resp.gr_name_len + gr_resp.gr_passwd_len;
.....
buflen -= total_len;
You tell me if there may be a buffer over-run. You may like this
patch.
--
H.J. Lu (hjl@gnu.org)
---
Index: nscd/nscd_getgr_r.c
===================================================================
RCS file: /work/cvs/gnu/glibc-2.1/nscd/nscd_getgr_r.c,v
retrieving revision 1.1.1.14
diff -u -p -r1.1.1.14 nscd_getgr_r.c
--- nscd/nscd_getgr_r.c 1999/06/27 01:14:33 1.1.1.14
+++ nscd/nscd_getgr_r.c 1999/08/29 00:01:51
@@ -148,7 +148,8 @@ nscd_getgr_r (const char *key, size_t ke
align = ((__alignof__ (char *) - (p - ((char *) 0)))
& (__alignof__ (char *) - 1));
if (buflen < (align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *)
- + gr_resp.gr_name_len + gr_resp.gr_passwd_len))
+ + gr_resp.gr_name_len + gr_resp.gr_passwd_len)
+ + gr_resp.gr_mem_cnt * sizeof (size_t))
{
no_room:
__set_errno (ERANGE);
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |