This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nscd/1363] New: getXXbyYY functions coredump in nscd_getpw_r: free of static resultbuf
- From: "kees dot verruijt at redwood dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 22 Sep 2005 14:18:29 -0000
- Subject: [Bug nscd/1363] New: getXXbyYY functions coredump in nscd_getpw_r: free of static resultbuf
- Reply-to: sourceware-bugzilla at sourceware dot org
nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.
This can be seen by simple code inspection in nscd/nscd_getpw_r.c.
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_getpw_r.c:
86:nscd_getpw_r (...)
96: retry:;
142: resultbuf->pw_uid = pw_resp->pw_uid;
203: if (__nscd_drop_map_ref (mapped, &gc_cycle) != 0 && retval != -1)
230: free (resultbuf);
232: goto retry;
The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap.
This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.
Suggested fix: remove free(resultbuf) (line 230).
--
Summary: getXXbyYY functions coredump in nscd_getpw_r: free of
static resultbuf
Product: glibc
Version: 2.3.5
Status: NEW
Severity: normal
Priority: P2
Component: nscd
AssignedTo: drepper at redhat dot com
ReportedBy: kees dot verruijt at redwood dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: 2.3.5
GCC host triplet: 2.3.5
GCC target triplet: 2.3.5
http://sourceware.org/bugzilla/show_bug.cgi?id=1363
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.