diff mbox

Provide correct buffer length to netgroup queries in nscd (BZ #16695)

Message ID 20140312090859.GA887@spoyarek.pnq.redhat.com
State Committed
Headers show

Commit Message

Siddhesh Poyarekar March 12, 2014, 9:08 a.m. UTC
The buffer to query netgroup entries is allocated sufficient space for
the netgroup entries and the key to be appended at the end, but it
sends in an incorrect available length to the NSS netgroup query
functions, resulting in overflow of the buffer in some special cases.
The fix here is to factor in the key length when sending the available
buffer and buffer length to the query functions.

Tested on x86_64.  OK to commit?

Siddhesh

	[BZ #16695]
	* nscd/netgroupcache.c (addgetnetgrentX): Factor in space for
	key in the buffer.

---
 nscd/netgroupcache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Ondrej Bilka March 12, 2014, 9:53 a.m. UTC | #1
On Wed, Mar 12, 2014 at 02:38:59PM +0530, Siddhesh Poyarekar wrote:
> The buffer to query netgroup entries is allocated sufficient space for
> the netgroup entries and the key to be appended at the end, but it
> sends in an incorrect available length to the NSS netgroup query
> functions, resulting in overflow of the buffer in some special cases.
> The fix here is to factor in the key length when sending the available
> buffer and buffer length to the query functions.
> 
> Tested on x86_64.  OK to commit?
>
Looks ok.
Andreas Schwab March 12, 2014, 10:08 a.m. UTC | #2
Siddhesh Poyarekar <siddhesh@redhat.com> writes:

> 	[BZ #16695]
> 	* nscd/netgroupcache.c (addgetnetgrentX): Factor in space for
> 	key in the buffer.

Ok.

Andreas.
diff mbox

Patch

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index 426d3c5..5ba1e1f 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -202,7 +202,7 @@  addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		  {
 		    int e;
 		    status = getfct.f (&data, buffer + buffilled,
-				       buflen - buffilled, &e);
+				       buflen - buffilled - req->key_len, &e);
 		    if (status == NSS_STATUS_RETURN
 			|| status == NSS_STATUS_NOTFOUND)
 		      /* This was either the last one for this group or the