Fix handling of netgroup cache in nscd

2025-02-17 13:00:43 +08:00 · 2013-06-10 14:39:09 +02:00 · 2013-06-10 14:39:09 +02:00 · 50fd745b4d
commit 50fd745b4d
parent 3ee7e9fe34
5 changed files with 33 additions and 15 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2013-06-11  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #15577]
+	* nscd/connections.c (nscd_run_worker): Always zero-terminate key.
+	* nscd/netgroupcache.c (addgetnetgrentX): Properly handle absent
+	values in the triple.
+	* nscd/nscd_netgroup.c (__nscd_setnetgrent): Include zero
+	terminator in the group key.
+
 2013-06-11  Andreas Jaeger  <aj@suse.de>

 	* po/zh_TW.po: Update Chinese (traditional) translation from
--- a/2
+++ b/2
@ -19,7 +19,7 @@ Version 2.18
  15336, 15337, 15339, 15342, 15346, 15359, 15361, 15366, 15380, 15381,
  15394, 15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424,
  15426, 15429, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490,
-  15493, 15497, 15506, 15529, 15536, 15553, 15583.
+  15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583.

 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
  #15078).
--- a/nscd/connections.c
+++ b/nscd/connections.c
@ -1779,7 +1779,7 @@ nscd_run_worker (void *p)
      else
 	{
 	  /* Get the key.  */
-	  char keybuf[MAXKEYLEN];
+	  char keybuf[MAXKEYLEN + 1];

 	  if (__builtin_expect (TEMP_FAILURE_RETRY (read (fd, keybuf,
 							  req.key_len))
@ -1791,6 +1791,7 @@ nscd_run_worker (void *p)
 			 strerror_r (errno, buf, sizeof (buf)));
 	      goto close_and_out;
 	    }
+	  keybuf[req.key_len] = '\0';

 	  if (__builtin_expect (debug_level, 0) > 0)
 	    {
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@ -192,18 +192,26 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 			    const char *nuser = data.val.triple.user;
 			    const char *ndomain = data.val.triple.domain;

-			    if (data.val.triple.host > data.val.triple.user
-				|| data.val.triple.user > data.val.triple.domain)
+			    if (nhost == NULL || nuser == NULL || ndomain == NULL
+				|| nhost > nuser || nuser > ndomain)
 			      {
-				const char *last = MAX (nhost,
-							MAX (nuser, ndomain));
-				size_t bufused = (last + strlen (last) + 1
-						  - buffer);
+				const char *last = nhost;
+				if (last == NULL
+				    || (nuser != NULL && nuser > last))
+				  last = nuser;
+				if (last == NULL
+				    || (ndomain != NULL && ndomain > last))
+				  last = ndomain;
+
+				size_t bufused
+				  = (last == NULL
+				     ? buffilled
+				     : last + strlen (last) + 1 - buffer);

 				/* We have to make temporary copies.  */
-				size_t hostlen = strlen (nhost) + 1;
-				size_t userlen = strlen (nuser) + 1;
-				size_t domainlen = strlen (ndomain) + 1;
+				size_t hostlen = strlen (nhost ?: "") + 1;
+				size_t userlen = strlen (nuser ?: "") + 1;
+				size_t domainlen = strlen (ndomain ?: "") + 1;
 				size_t needed = hostlen + userlen + domainlen;

 				if (buflen - req->key_len - bufused < needed)
@ -226,11 +234,11 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 				  }

 				nhost = memcpy (buffer + bufused,
-						nhost, hostlen);
+						nhost ?: "", hostlen);
 				nuser = memcpy ((char *) nhost + hostlen,
-						nuser, userlen);
+						nuser ?: "", userlen);
 				ndomain = memcpy ((char *) nuser + userlen,
-						  ndomain, domainlen);
+						  ndomain ?: "", domainlen);
 			      }

 			    char *wp = buffer + buffilled;
--- a/nscd/nscd_netgroup.c
+++ b/nscd/nscd_netgroup.c
@ -48,7 +48,7 @@ __nscd_setnetgrent (const char *group, struct __netgrent *datap)
 {
  int gc_cycle;
  int nretries = 0;
-  size_t group_len = strlen (group);
+  size_t group_len = strlen (group) + 1;

  /* If the mapping is available, try to search there instead of
     communicating with the nscd.  */