From patchwork Mon Oct 6 20:13:57 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikel Rychliski X-Patchwork-Id: 3117 Received: (qmail 3544 invoked by alias); 6 Oct 2014 20:13:52 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 3530 invoked by uid 89); 6 Oct 2014 20:13:51 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL, BAYES_00, T_RP_MATCHES_RCVD, URIBL_RHS_DOB autolearn=no version=3.3.2 X-HELO: mikelr.com Message-ID: <5432F805.7090801@mikelr.com> Date: Mon, 06 Oct 2014 16:13:57 -0400 From: Mikel Rychliski User-Agent: Mozilla/5.0 (Macintosh; PPC Mac OS X 10.4; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 TenFourFox/7450 Tenfourbird MIME-Version: 1.0 To: libc-alpha@sourceware.org Subject: [PATCH] [BZ 17460] "nscd --help" crashes with segmentation fault on 32-bit machine Printing the nscd help message with "nscd --help" fails part way through the message with a segmentation fault. Reproducible on a 32-bit architecture. There is a buffer overflow when printing the supported tables. The memory allocated to hold the concatenated string is allocated with a size of the pointer array. This allocation is of insufficient length to hold the strings themselves. Thanks, Mikel Rychliski diff --git a/ChangeLog b/ChangeLog index e127a08..24ea7c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-10-06 Mikel Rychliski + + [BZ #17460] + * nscd/nscd.c: Fix crash on usage() output. + 2014-10-02 Chris Metcalf * sysdeps/unix/sysv/linux/tile/sysdep.h (INLINE_VSYSCALL): Define diff --git a/nscd/nscd.c b/nscd/nscd.c index 7131ead..4a03d16 100644 --- a/nscd/nscd.c +++ b/nscd/nscd.c @@ -458,13 +458,25 @@ more_help (int key, const char *text, void *input) case ARGP_KEY_HELP_EXTRA: { dbtype cnt; + size_t allocated = 40; + char *wp = xmalloc (allocated); - tables = xmalloc (sizeof (dbnames) + 1); + tables = wp; for (cnt = 0; cnt < lastdb; cnt++) { - strcat (tables, dbnames[cnt]); - strcat (tables, " "); + size_t len = strlen (dbnames[cnt]); + if (wp + len + 2 > tables + allocated) + { + char *newp; + allocated = (allocated + len) * 2; + newp = xrealloc (tables, allocated); + wp = newp + (wp - tables); + tables = newp; + } + wp = mempcpy (wp, dbnames[cnt], len); + wp = mempcpy (wp, " ", 1); } + *wp++ = '\0'; } /* We print some extra information. */