This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch master updated. glibc-2.18-823-gd7b00f9


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74 (commit)
      from  af37a8a3496327a6e5617a2c76f17aa1e8db835e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74

commit d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon Jan 27 16:49:33 2014 +0530

    Fix invalid memory access when parsing netgroup files with blank lines (BZ #16506)
    
    The netgroups file parsing code tries to access the character before
    the newline in parsed lines to see if it is a backslash (\).  This
    results in an access before the block allocated for the line if the
    line is blank, i.e. does not have anything other than the newline
    character.  This doesn't seem like it will cause any crashes because
    the byte belongs to the malloc metadata block and hence access to it
    will always succeed.
    
    There could be an invalid alteration in code flow where a blank line
    is seen as a continuation due to the preceding byte *happening* to be
    '\\'.  This could be done by interposing malloc, but that's not really
    a security problem since one could interpose getnetgrent_r itself and
    achieve a similar 'exploit'.
    
    The possibility of actually exploiting this is remote to impossible
    since it also requires the previous line to end with a '\\', which
    would happen only on invalid configurations.

diff --git a/ChangeLog b/ChangeLog
index a1f549e..322ec08 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2014-01-27  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
+	[BZ #16506]
+	* nss/nss_files/files-netgrp.c (_nss_files_setnetgrent): Avoid
+	access beyond array bounds when parsing netgroups file.
+
 	* nscd/netgroupcache.c (addgetnetgrentX): Compute offset from
 	the old buffer before realloc.
 
diff --git a/nss/nss_files/files-netgrp.c b/nss/nss_files/files-netgrp.c
index 339f704..34eae4c 100644
--- a/nss/nss_files/files-netgrp.c
+++ b/nss/nss_files/files-netgrp.c
@@ -103,7 +103,8 @@ _nss_files_setnetgrent (const char *group, struct __netgrent *result)
 	      result->cursor += (curlen - group_len) - 1;
 	    }
 
-	  while (line[curlen - 1] == '\n' && line[curlen - 2] == '\\')
+	  while (curlen > 1 && line[curlen - 1] == '\n'
+		 && line[curlen - 2] == '\\')
 	    {
 	      /* Yes, we have a continuation line.  */
 	      if (found)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |    4 ++++
 nss/nss_files/files-netgrp.c |    3 ++-
 2 files changed, 6 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]