This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug nscd/1363] New: getXXbyYY functions coredump in nscd_getpw_r: free of static resultbuf


nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.

This can be seen by simple code inspection in nscd/nscd_getpw_r.c.
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_getpw_r.c:

86:nscd_getpw_r (...)
96: retry:;
142:   resultbuf->pw_uid = pw_resp->pw_uid;
203:   if (__nscd_drop_map_ref (mapped, &gc_cycle) != 0 && retval != -1)
230:     free (resultbuf);
232:     goto retry;

The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap. 

This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.

Suggested fix: remove free(resultbuf) (line 230).

-- 
           Summary: getXXbyYY functions coredump in nscd_getpw_r: free of
                    static resultbuf
           Product: glibc
           Version: 2.3.5
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
        AssignedTo: drepper at redhat dot com
        ReportedBy: kees dot verruijt at redwood dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: 2.3.5
  GCC host triplet: 2.3.5
GCC target triplet: 2.3.5


http://sourceware.org/bugzilla/show_bug.cgi?id=1363

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]