From patchwork Sun Dec 20 17:55:34 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 559349 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 8710314076E for ; Mon, 21 Dec 2015 04:55:53 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=KtngJJmi; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; q=dns; s= default; b=mlWmvE9eiwfRZ+HcAd0iC9AOT6ILxDhzJmISKNkJcZ8SGoxjammEL fyDyfCB2HGT3vHL1d6fwaFLbqe3Vq3RMNrRX79BRDe2uOx1xOl6I9Gd/xE9RRzK3 K0mluSk7dMFwlditmgQ6T5jur3alfcIK2xQY23hWguhaKGDoHhIf0Q= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; s=default; bh=BYt0v36+hiUiShrpKMfzbC5T0uk=; b=KtngJJmiXMVGL1BQWdYF1Ga8JK8c AwEAjTQhqPb2dpUYlEqB9ZaWyD6juqI6pHRMhuwhjF7na4TveIBBErg4q8zfwye7 CxuCl8v9lkjCb5/y+c+n8TEtdHl/eMw3y+ylwbyR/A1dJTBfaR8OBN/ZcQf9bAhP IkJAYFNT2EQ0NOU= Received: (qmail 73870 invoked by alias); 20 Dec 2015 17:55:47 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 73849 invoked by uid 89); 20 Dec 2015 17:55:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=no version=3.3.2 spammy=810, H*r:esmtps, 99, inet X-HELO: hall.aurel32.net From: Aurelien Jarno To: libc-alpha@sourceware.org Cc: Siddhesh Poyarekar Subject: [COMMITTED 2.19] Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760) Date: Sun, 20 Dec 2015 18:55:34 +0100 Message-Id: <1450634134-13084-3-git-send-email-aurelien@aurel32.net> From: Siddhesh Poyarekar Calls to stpcpy from nscd netgroups code will have overlapping source and destination when all three values in the returned triplet are non-NULL and in the expected (host,user,domain) order. This is seen in valgrind as: ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48) ==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3181== by 0x12567A: addgetnetgrentX (string3.h:111) ==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665) ==3181== by 0x11114C: nscd_run_worker (connections.c:1338) ==3181== by 0x4E3C102: start_thread (pthread_create.c:309) ==3181== by 0x59B81AC: clone (clone.S:111) ==3181== Fix this by using memmove instead of stpcpy. (cherry picked from commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a) --- ChangeLog | 4 ++++ NEWS | 7 ++++--- nscd/netgroupcache.c | 16 ++++++++++------ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 896b564..e82ba7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ * inet/getnetgrent_r.c (get_nonempty_val): New function. (nscd_getnetgrent): Use it. + [BZ #16760] + * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead + of stpcpy. + 2015-11-24 Andreas Schwab [BZ #17062] diff --git a/NEWS b/NEWS index 6f295a2..2972c4a 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,10 @@ Version 2.19.1 * The following bugs are resolved with this release: - 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16878, - 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, - 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032, 18287. + 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, + 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, + 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032, + 18287. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 8c619ea..c61d10b 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -211,6 +211,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, const char *nuser = data.val.triple.user; const char *ndomain = data.val.triple.domain; + size_t hostlen = strlen (nhost ?: "") + 1; + size_t userlen = strlen (nuser ?: "") + 1; + size_t domainlen = strlen (ndomain ?: "") + 1; + if (nhost == NULL || nuser == NULL || ndomain == NULL || nhost > nuser || nuser > ndomain) { @@ -228,9 +232,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ - size_t hostlen = strlen (nhost ?: "") + 1; - size_t userlen = strlen (nuser ?: "") + 1; - size_t domainlen = strlen (ndomain ?: "") + 1; size_t needed = hostlen + userlen + domainlen; if (buflen - req->key_len - bufused < needed) @@ -264,9 +265,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } char *wp = buffer + buffilled; - wp = stpcpy (wp, nhost) + 1; - wp = stpcpy (wp, nuser) + 1; - wp = stpcpy (wp, ndomain) + 1; + wp = memmove (wp, nhost ?: "", hostlen); + wp += hostlen; + wp = memmove (wp, nuser ?: "", userlen); + wp += userlen; + wp = memmove (wp, ndomain ?: "", domainlen); + wp += domainlen; buffilled = wp - buffer; ++nentries; }