diff mbox series

[1/4] nscd: Stack-based buffer overflow in netgroup cache (bug 31677)

Message ID 73a91330cea898a1d48c0033ffcdb2cf8e6fbc4c.1713974801.git.fweimer@redhat.com
State Superseded
Headers
Series Various nscd security fixes |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Testing passed

Commit Message

Florian Weimer April 24, 2024, 4:08 p.m. UTC 
  Using alloca matches what other caches do.  The request length is
bounded by MAXKEYLEN.
---
 nscd/netgroupcache.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Siddhesh Poyarekar April 24, 2024, 4:27 p.m. UTC | #1 
On 2024-04-24 12:08, Florian Weimer wrote:
> Using alloca matches what other caches do.  The request length is
> bounded by MAXKEYLEN.
> ---
>   nscd/netgroupcache.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
> index 0c6e46f15c..24fbac7668 100644
> --- a/nscd/netgroupcache.c
> +++ b/nscd/netgroupcache.c
> @@ -502,12 +502,11 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
>         = (struct indataset *) mempool_alloc (db,
>   					    sizeof (*dataset) + req->key_len,
>   					    1);
> -  struct indataset dataset_mem;
>     bool cacheable = true;
>     if (__glibc_unlikely (dataset == NULL))
>       {
>         cacheable = false;

Can you please add a comment here stating that KEY_LEN is bounded by 
MAXKEYLEN?  Looks OK otherwise.

> -      dataset = &dataset_mem;
> +      dataset = alloca (sizeof (*dataset) + req->key_len);
>       }
>   
>     datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
diff mbox series

Patch

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index 0c6e46f15c..24fbac7668 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -502,12 +502,11 @@  addinnetgrX (struct database_dyn *db, int fd, request_header *req,
       = (struct indataset *) mempool_alloc (db,
 					    sizeof (*dataset) + req->key_len,
 					    1);
-  struct indataset dataset_mem;
   bool cacheable = true;
   if (__glibc_unlikely (dataset == NULL))
     {
       cacheable = false;
-      dataset = &dataset_mem;
+      dataset = alloca (sizeof (*dataset) + req->key_len);
     }
 
   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,