From patchwork Wed Apr 24 20:54:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 88970 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 92DBD3844755 for ; Wed, 24 Apr 2024 20:55:22 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 9794C384641E for ; Wed, 24 Apr 2024 20:54:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9794C384641E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9794C384641E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713992090; cv=none; b=r2146uw6kdnDklfgEitn/9BoyoYbVh0bgZO7z/gmXjfUVl+qJCRl29GpEBUD5ENANnpLBvBywxs5msmiGfr/ghyYJLH2t/N8dUXwYm/bNY0876TLRXMadwHnfeYYHhAenI33+GhHjTrjZLyrvNqgj353ZOTJkXJisOonALJS368= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713992090; c=relaxed/simple; bh=Bdhvpci819kFXP8AOEqS7htdcSRacgwoRX7MzZrAMxY=; h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version; b=iBH+WS7Mg51yaRqzxVpethf1nBfF3Thb45DX+A2vd43BUl4Awz3OTN7GvGD7IL690G//siOnB8qokigXiOLKErYasU8z+vO/EcnJP1suIGMOxr+C3lsLbGGsR9p6HedyymMeaHZX0vkLSRIR5k+T049x5BHx0fP2k6SAfTHG6GQ= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713992089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kDUHge/lbqZDdwyG7rBvfjilJXUvaMcqZoO45iEJy48=; b=EaVOepT1oI1BCU0pKz62fzNoFEbcMfJ7Q0YU9TTIXS1ybDg0/XjpAJTSifv09s7X+wu1So 3FQEicCr7h4MjkM27lZqhO2xVpeD/EqGptdr72rDn9hUvNMrds6lr6Y+NHGGXgPZ0ChdO0 YIQGLEPX4gmIgK3BJll8yoq4gL6ZTHw= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-76-k0PfpcIKMzSti-ENT2nbkA-1; Wed, 24 Apr 2024 16:54:47 -0400 X-MC-Unique: k0PfpcIKMzSti-ENT2nbkA-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A4722811000 for ; Wed, 24 Apr 2024 20:54:47 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.74]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 095AC492BC6 for ; Wed, 24 Apr 2024 20:54:46 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH v2 3/4] CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) In-Reply-To: <856155216699813fd1e533665adc1669abbcfc8b.1713991707.git.fweimer@redhat.com> Message-ID: <0be9387ee24720dd6c6a727a91ff2de9f0979aa2.1713991707.git.fweimer@redhat.com> References: <856155216699813fd1e533665adc1669abbcfc8b.1713991707.git.fweimer@redhat.com> X-From-Line: 0be9387ee24720dd6c6a727a91ff2de9f0979aa2 Mon Sep 17 00:00:00 2001 Date: Wed, 24 Apr 2024 22:54:45 +0200 User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org The addgetnetgrentX call in addinnetgrX may have failed to produce a result, so the result variable in addinnetgrX can be NULL. Use db->negtimeout as the fallback value if there is no result data; the timeout is also overwritten below. Also avoid sending a second not-found response. (The client disconnects after receiving the first response, so the data stream did not go out of sync even without this fix.) It is still beneficial to add the negative response to the mapping, so that the client can get it from there in the future, instead of going through the socket. Reviewed-by: Siddhesh Poyarekar --- v2: CVE assignment. nscd/netgroupcache.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index c18fe111f3..e22ffa5884 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, sizeof (innetgroup_response_header), - he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); + he == NULL ? 0 : dh->nreloads + 1, + result == NULL ? db->negtimeout : result->head.ttl); /* Set the notfound status and timeout based on the result from getnetgrent. */ - dataset->head.notfound = result->head.notfound; + dataset->head.notfound = result == NULL || result->head.notfound; dataset->head.timeout = timeout; dataset->resp.version = NSCD_VERSION; - dataset->resp.found = result->resp.found; + dataset->resp.found = result != NULL && result->resp.found; /* Until we find a matching entry the result is 0. */ dataset->resp.result = 0; @@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, goto out; } - if (he == NULL) + /* addgetnetgrentX may have already sent a notfound response. Do + not send another one. */ + if (he == NULL && dataset->resp.found) { /* We write the dataset before inserting it to the database since while inserting this thread might block and so would