This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi, After debugging one crash I found out that there is a case where buflen is exact zero in nss_compat. Since we work with negative offsets, this means reading the next line results in memory corruption. In real life I only saw this with a test suite which uses buffers of size 1. Here is a patch to make sure that this will not happen: 2004-09-11 Thorsten Kukuk <kukuk@suse.de> * nis/nss_compat/compat-grp.c: Check that buflen is greater zero before writing data into the buffer with negative offset. * nis/nss_compat/compat-initgroups.c: Likewise. * nis/nss_compat/compat-pwd.c: Likewise. * nis/nss_compat/compat-spwd.c Likewise. --- nis/nss_compat/compat-grp.c 28 Jun 2003 07:58:41 -0000 1.28 +++ nis/nss_compat/compat-grp.c 11 Sep 2004 20:53:05 -0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc. +/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996. @@ -253,6 +253,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); @@ -384,6 +389,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); @@ -511,6 +521,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); --- nis/nss_compat/compat-initgroups.c 19 Aug 2004 21:08:49 -0000 1.16 +++ nis/nss_compat/compat-initgroups.c 11 Sep 2004 20:53:05 -0000 @@ -327,6 +327,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); --- nis/nss_compat/compat-pwd.c 28 Jun 2003 07:59:28 -0000 1.33 +++ nis/nss_compat/compat-pwd.c 11 Sep 2004 20:53:05 -0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc. +/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. @@ -499,6 +499,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); @@ -694,6 +699,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); @@ -897,6 +907,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); --- nis/nss_compat/compat-spwd.c 2 Sep 2003 00:45:13 -0000 1.26 +++ nis/nss_compat/compat-spwd.c 11 Sep 2004 20:53:05 -0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc. +/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. @@ -451,6 +451,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); @@ -645,6 +650,11 @@ do { + if (buflen < 3) /* We need at least 3 characters for one line. */ + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } fgetpos (ent->stream, &pos); buffer[buflen - 1] = '\xff'; p = fgets_unlocked (buffer, buflen, ent->stream); -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Maxfeldstr. 5 D-90409 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |