This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/19653] New: Potential for NULL pointer dereference (CWE-476) in glibc-2.22

From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 17 Feb 2016 18:03:34 +0000
Subject: [Bug libc/19653] New: Potential for NULL pointer dereference (CWE-476) in glibc-2.22
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19653

            Bug ID: 19653
           Summary: Potential for NULL pointer dereference (CWE-476) in
                    glibc-2.22
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: wp02855 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9000
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9000&action=edit
patch file for above bug report (diff -u)

Hello All,

        In reviewing source code in glibc-2.22, in directory 'inet', file
'ruserpass.c', there is a call to malloc() which is not checked for
a return value of NULL indicating failure, but immediately after the
call to malloc(), a call to strcpy() is made using the variable
'*aacct', but if '*aacct' is NULL, a segmentation fault/violation
will occur.  The code block this is contained in is currently
commented out via the pre-processor via #if 0, but if this is
re-enabled in the future, it could segmentation fault without
the check for NULL from malloc().

The patch file below adds the necessary test for the return
value from malloc():

--- ruserpass.c.orig    2016-02-16 16:24:23.632257052 -0800
+++ ruserpass.c 2016-02-16 16:27:02.262262819 -0800
@@ -206,6 +206,10 @@
                        }
                        if (token() && *aacct == 0) {
                                *aacct = malloc((unsigned) strlen(tokval) + 1);
+                               if (*aacct == NULL) {
+                                       warnx(_("out of memory"));
+                                       goto bad;
+                               }
                                (void) strcpy(*aacct, tokval);
                        }
 #endif

=======================================================================

Bill Parker (wp02855 at gmail dot com)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]