This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] check for buffer underrun in nss_compat

Hi,

After debugging one crash I found out that there is a case where
buflen is exact zero in nss_compat. Since we work with negative
offsets, this means reading the next line results in memory corruption.
In real life I only saw this with a test suite which uses buffers
of size 1.
Here is a patch to make sure that this will not happen:

2004-09-11  Thorsten Kukuk  <kukuk@suse.de>

	* nis/nss_compat/compat-grp.c: Check that buflen is greater zero
	before writing data into the buffer with negative offset.
	* nis/nss_compat/compat-initgroups.c: Likewise.
	* nis/nss_compat/compat-pwd.c: Likewise.
	* nis/nss_compat/compat-spwd.c Likewise.

--- nis/nss_compat/compat-grp.c	28 Jun 2003 07:58:41 -0000	1.28
+++ nis/nss_compat/compat-grp.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996.
 
@@ -253,6 +253,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -384,6 +389,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -511,6 +521,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-initgroups.c	19 Aug 2004 21:08:49 -0000	1.16
+++ nis/nss_compat/compat-initgroups.c	11 Sep 2004 20:53:05 -0000
@@ -327,6 +327,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-pwd.c	28 Jun 2003 07:59:28 -0000	1.33
+++ nis/nss_compat/compat-pwd.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
 
@@ -499,6 +499,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -694,6 +699,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -897,6 +907,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-spwd.c	2 Sep 2003 00:45:13 -0000	1.26
+++ nis/nss_compat/compat-spwd.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
 
@@ -451,6 +451,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -645,6 +650,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);


-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Maxfeldstr. 5                 D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]