This is the mail archive of the libc-hacker@sourceware.cygnus.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
> > hjl@varesearch.com (H.J. Lu) writes: > > > Here is a patch for the out-of-buffer bug in nscd. Thorsten, could > > you please double check other nscd functions? > > This is completely unnecessary. There is a test (line 150). > That is very strange. In my glibc source code, starting from line 150: if (buflen < (align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *) + gr_resp.gr_name_len + gr_resp.gr_passwd_len)) { no_room: __set_errno (ERANGE); __close (sock); return ERANGE; } ..... buflen -= align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *); ..... total_len = gr_resp.gr_mem_cnt * sizeof (size_t); ..... total_len += gr_resp.gr_name_len + gr_resp.gr_passwd_len; ..... buflen -= total_len; You tell me if there may be a buffer over-run. You may like this patch. -- H.J. Lu (hjl@gnu.org) --- Index: nscd/nscd_getgr_r.c =================================================================== RCS file: /work/cvs/gnu/glibc-2.1/nscd/nscd_getgr_r.c,v retrieving revision 1.1.1.14 diff -u -p -r1.1.1.14 nscd_getgr_r.c --- nscd/nscd_getgr_r.c 1999/06/27 01:14:33 1.1.1.14 +++ nscd/nscd_getgr_r.c 1999/08/29 00:01:51 @@ -148,7 +148,8 @@ nscd_getgr_r (const char *key, size_t ke align = ((__alignof__ (char *) - (p - ((char *) 0))) & (__alignof__ (char *) - 1)); if (buflen < (align + (1 + gr_resp.gr_mem_cnt) * sizeof (char *) - + gr_resp.gr_name_len + gr_resp.gr_passwd_len)) + + gr_resp.gr_name_len + gr_resp.gr_passwd_len) + + gr_resp.gr_mem_cnt * sizeof (size_t)) { no_room: __set_errno (ERANGE);
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |