Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)

  On Thu, Mar 27, 2014 at 03:34:11AM -0400, Mike Frysinger wrote:
> On Thu 27 Mar 2014 09:34:06 Siddhesh Poyarekar wrote:
> > Calls to stpcpy from nscd netgroups code will have overlapping source
> > and destination when all three values in the returned triplet are
> > non-NULL and in the expected (host,user,domain) order.  This is seen
> > in valgrind as:
> > 
> > Fix this by using memmove instead of stpcpy.  Tested x86_64 using
> > various combinations of triplets (including NULL and non-NULL ones) to
> > verify that this works correctly and there are no regressions.
>
This could work only with additional assertion that we do not move host
forward otherwise it could overwrite user.
 
> i feel like we've wanted an equivalent of stpcpy/memccpy for memmove.  good 
> time to add it ? :)
> 
Yes, it would be better to use this at least internally, perhaps this
patch instead is cleaner. 

Other possibility is keep these in separate header like second snippet, 
do you have better name for that? Also I could make a stpcat and move
equivalent, not sure with what name.

Her I would fix a root cause of these bugs which is bad design. We mix
temporary buffer with building result. If we use separate buffers for
that a code would be lot simpler, I will prepare patch for it.
  

On Thu, Mar 27, 2014 at 08:22:54PM +0100, Ondřej Bílka wrote:
> > > Fix this by using memmove instead of stpcpy.  Tested x86_64 using
> > > various combinations of triplets (including NULL and non-NULL ones) to
> > > verify that this works correctly and there are no regressions.
> >
> This could work only with additional assertion that we do not move host
> forward otherwise it could overwrite user.

If the host, user and domain are out of order, they are copied in
order into a separate area in the buffer before the memmove.  If you
think there's something else that could move host forward then I don't
understand and you'll have to elaborate a bit.

Siddhesh
  

On Fri, Mar 28, 2014 at 07:43:22AM +0530, Siddhesh Poyarekar wrote:
> On Thu, Mar 27, 2014 at 08:22:54PM +0100, Ondřej Bílka wrote:
> > > > Fix this by using memmove instead of stpcpy.  Tested x86_64 using
> > > > various combinations of triplets (including NULL and non-NULL ones) to
> > > > verify that this works correctly and there are no regressions.
> > >
> > This could work only with additional assertion that we do not move host
> > forward otherwise it could overwrite user.
> 
> If the host, user and domain are out of order, they are copied in
> order into a separate area in the buffer before the memmove.  If you
> think there's something else that could move host forward then I don't
> understand and you'll have to elaborate a bit.
> 
> Siddhesh

They are in order, its best to show on example what I mean by copying:

host  user  domain
   ^
hoshostser  domain

hoshost tserdomain

hoshost tser domain
  

On Wed, Apr 09, 2014 at 08:22:29PM +0200, Ondřej Bílka wrote:
> On Fri, Mar 28, 2014 at 07:43:22AM +0530, Siddhesh Poyarekar wrote:
> > On Thu, Mar 27, 2014 at 08:22:54PM +0100, Ondřej Bílka wrote:
> > > > > Fix this by using memmove instead of stpcpy.  Tested x86_64 using
> > > > > various combinations of triplets (including NULL and non-NULL ones) to
> > > > > verify that this works correctly and there are no regressions.
> > > >
> > > This could work only with additional assertion that we do not move host
> > > forward otherwise it could overwrite user.
> > 
> > If the host, user and domain are out of order, they are copied in
> > order into a separate area in the buffer before the memmove.  If you
> > think there's something else that could move host forward then I don't
> > understand and you'll have to elaborate a bit.
> > 
> > Siddhesh
> 
> They are in order, its best to show on example what I mean by copying:
> 
> host  user  domain
>    ^

OK, now I see what you mean by 'moving host forward'.  We don't do
that.

Siddhesh

> hoshostser  domain
> 
> hoshost tserdomain
> 
> hoshost tser domain
> 
>