This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix a possible buffer overflow in crypt (in lowmem situation only), fix lowmem handling in chroot_canon

From: Jakub Jelinek <jakub at redhat dot com>
To: Ulrich Drepper <drepper at redhat dot com>, Roland McGrath <roland at redhat dot com>
Cc: Glibc hackers <libc-hacker at sources dot redhat dot com>
Date: Tue, 8 Jun 2004 16:17:31 +0200
Subject: [PATCH] Fix a possible buffer overflow in crypt (in lowmem situation only), fix lowmem handling in chroot_canon
Reply-to: Jakub Jelinek <jakub at redhat dot com>

Hi!

2004-06-08  Jakub Jelinek  <jakub@redhat.com>

	[BZ #199]
	* crypt/md5-crypt.c (__md5_crypt): Only update buflen if realloc
	succeeds.  Reported by Miles Ohlrich <miles@cray.com>.

	* elf/chroot_canon.c (chroot_canon): Avoid segfault if first malloc
	fails.  Avoid memory leak if realloc fails.

--- libc/crypt/md5-crypt.c.jj	2002-11-11 03:43:28.000000000 +0100
+++ libc/crypt/md5-crypt.c	2004-06-08 17:47:10.132492169 +0200
@@ -1,6 +1,7 @@
 /* One way encryption based on MD5 sum.
    Compatible with the behavior of MD5 crypt introduced in FreeBSD 2.0.
-   Copyright (C) 1996,1997,1999,2000,2001,2002 Free Software Foundation, Inc.
+   Copyright (C) 1996, 1997, 1999, 2000, 2001, 2002, 2004
+   Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
 
@@ -250,15 +251,12 @@ __md5_crypt (const char *key, const char
 
   if (buflen < needed)
     {
-      char *new_buffer;
-
-      buflen = needed;
-
-      new_buffer = (char *) realloc (buffer, buflen);
+      char *new_buffer = (char *) realloc (buffer, needed);
       if (new_buffer == NULL)
 	return NULL;
 
       buffer = new_buffer;
+      buflen = needed;
     }
 
   return __md5_crypt_r (key, salt, buffer, buflen);
--- libc/elf/chroot_canon.c.jj	2001-12-29 16:57:13.000000000 +0100
+++ libc/elf/chroot_canon.c	2004-06-08 18:05:45.556593648 +0200
@@ -1,5 +1,6 @@
 /* Return the canonical absolute name of a given file inside chroot.
-   Copyright (C) 1996,1997,1998,1999,2000,2001 Free Software Foundation, Inc.
+   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2004
+   Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -59,6 +60,9 @@ chroot_canon (const char *chroot, const 
     }
 
   rpath = malloc (chroot_len + PATH_MAX);
+  if (rpath == NULL)
+    return NULL;
+
   rpath_limit = rpath + chroot_len + PATH_MAX;
 
   rpath_root = (char *) mempcpy (rpath, chroot, chroot_len) - 1;
@@ -108,7 +112,7 @@ chroot_canon (const char *chroot, const 
 		new_size += PATH_MAX;
 	      new_rpath = (char *) realloc (rpath, new_size);
 	      if (new_rpath == NULL)
-		return NULL;
+		goto error;
 	      rpath = new_rpath;
 	      rpath_limit = rpath + new_size;
 

	Jakub

Follow-Ups:
- Re: [PATCH] Fix a possible buffer overflow in crypt (in lowmem situation only), fix lowmem handling in chroot_canon
  - From: Roland McGrath

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]