[PATCH] check for buffer underrun in nss_compat
Thorsten Kukuk
kukuk@suse.de
Sat Sep 11 21:01:00 GMT 2004
Hi,
After debugging one crash I found out that there is a case where
buflen is exact zero in nss_compat. Since we work with negative
offsets, this means reading the next line results in memory corruption.
In real life I only saw this with a test suite which uses buffers
of size 1.
Here is a patch to make sure that this will not happen:
2004-09-11 Thorsten Kukuk <kukuk@suse.de>
* nis/nss_compat/compat-grp.c: Check that buflen is greater zero
before writing data into the buffer with negative offset.
* nis/nss_compat/compat-initgroups.c: Likewise.
* nis/nss_compat/compat-pwd.c: Likewise.
* nis/nss_compat/compat-spwd.c Likewise.
--- nis/nss_compat/compat-grp.c 28 Jun 2003 07:58:41 -0000 1.28
+++ nis/nss_compat/compat-grp.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996.
@@ -253,6 +253,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -384,6 +389,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -511,6 +521,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-initgroups.c 19 Aug 2004 21:08:49 -0000 1.16
+++ nis/nss_compat/compat-initgroups.c 11 Sep 2004 20:53:05 -0000
@@ -327,6 +327,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-pwd.c 28 Jun 2003 07:59:28 -0000 1.33
+++ nis/nss_compat/compat-pwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -499,6 +499,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -694,6 +699,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -897,6 +907,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-spwd.c 2 Sep 2003 00:45:13 -0000 1.26
+++ nis/nss_compat/compat-spwd.c 11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
@@ -451,6 +451,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -645,6 +650,11 @@
do
{
+ if (buflen < 3) /* We need at least 3 characters for one line. */
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
fgetpos (ent->stream, &pos);
buffer[buflen - 1] = '\xff';
p = fgets_unlocked (buffer, buflen, ent->stream);
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de
SuSE Linux AG Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
More information about the Libc-hacker
mailing list