@@ -8,6 +8,10 @@
* inet/getnetgrent_r.c (get_nonempty_val): New function.
(nscd_getnetgrent): Use it.
+ [BZ #16760]
+ * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead
+ of stpcpy.
+
2015-11-24 Andreas Schwab <schwab@suse.de>
[BZ #17062]
@@ -9,9 +9,10 @@ Version 2.19.1
* The following bugs are resolved with this release:
- 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16878,
- 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079,
- 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032, 18287.
+ 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
+ 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
+ 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032,
+ 18287.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
@@ -211,6 +211,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
const char *nuser = data.val.triple.user;
const char *ndomain = data.val.triple.domain;
+ size_t hostlen = strlen (nhost ?: "") + 1;
+ size_t userlen = strlen (nuser ?: "") + 1;
+ size_t domainlen = strlen (ndomain ?: "") + 1;
+
if (nhost == NULL || nuser == NULL || ndomain == NULL
|| nhost > nuser || nuser > ndomain)
{
@@ -228,9 +232,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
: last + strlen (last) + 1 - buffer);
/* We have to make temporary copies. */
- size_t hostlen = strlen (nhost ?: "") + 1;
- size_t userlen = strlen (nuser ?: "") + 1;
- size_t domainlen = strlen (ndomain ?: "") + 1;
size_t needed = hostlen + userlen + domainlen;
if (buflen - req->key_len - bufused < needed)
@@ -264,9 +265,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
char *wp = buffer + buffilled;
- wp = stpcpy (wp, nhost) + 1;
- wp = stpcpy (wp, nuser) + 1;
- wp = stpcpy (wp, ndomain) + 1;
+ wp = memmove (wp, nhost ?: "", hostlen);
+ wp += hostlen;
+ wp = memmove (wp, nuser ?: "", userlen);
+ wp += userlen;
+ wp = memmove (wp, ndomain ?: "", domainlen);
+ wp += domainlen;
buffilled = wp - buffer;
++nentries;
}