[BZ,17460] "nscd --help" crashes with segmentation fault on 32-bit machine
Commit Message
Printing the nscd help message with "nscd --help" fails part way through
the message with a
segmentation fault. Reproducible on a 32-bit architecture.
There is a buffer overflow when printing the supported tables.
The memory allocated to hold the concatenated string is allocated with a
size of the pointer array.
This allocation is of insufficient length to hold the strings themselves.
Thanks,
Mikel Rychliski
@@ -1,3 +1,8 @@
+2014-10-06 Mikel Rychliski <mikel@mikelr.com>
+
+ [BZ #17460]
+ * nscd/nscd.c: Fix crash on usage() output.
+
2014-10-02 Chris Metcalf <cmetcalf@tilera.com>
* sysdeps/unix/sysv/linux/tile/sysdep.h (INLINE_VSYSCALL): Define
@@ -458,13 +458,25 @@ more_help (int key, const char *text, void *input)
case ARGP_KEY_HELP_EXTRA:
{
dbtype cnt;
+ size_t allocated = 40;
+ char *wp = xmalloc (allocated);
- tables = xmalloc (sizeof (dbnames) + 1);
+ tables = wp;
for (cnt = 0; cnt < lastdb; cnt++)
{
- strcat (tables, dbnames[cnt]);
- strcat (tables, " ");
+ size_t len = strlen (dbnames[cnt]);
+ if (wp + len + 2 > tables + allocated)
+ {
+ char *newp;
+ allocated = (allocated + len) * 2;
+ newp = xrealloc (tables, allocated);
+ wp = newp + (wp - tables);
+ tables = newp;
+ }
+ wp = mempcpy (wp, dbnames[cnt], len);
+ wp = mempcpy (wp, " ", 1);
}
+ *wp++ = '\0';
}
/* We print some extra information. */