5de29b
commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a
5de29b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
5de29b
Date:   Thu Mar 27 19:48:15 2014 +0530
5de29b
5de29b
    Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)
5de29b
    
5de29b
    Calls to stpcpy from nscd netgroups code will have overlapping source
5de29b
    and destination when all three values in the returned triplet are
5de29b
    non-NULL and in the expected (host,user,domain) order.  This is seen
5de29b
    in valgrind as:
5de29b
    
5de29b
    ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48)
5de29b
    ==3181==    at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
5de29b
    ==3181==    by 0x12567A: addgetnetgrentX (string3.h:111)
5de29b
    ==3181==    by 0x12722D: addgetnetgrent (netgroupcache.c:665)
5de29b
    ==3181==    by 0x11114C: nscd_run_worker (connections.c:1338)
5de29b
    ==3181==    by 0x4E3C102: start_thread (pthread_create.c:309)
5de29b
    ==3181==    by 0x59B81AC: clone (clone.S:111)
5de29b
    ==3181==
5de29b
    
5de29b
    Fix this by using memmove instead of stpcpy.
5de29b
12745e
diff --git glibc-2.17-c758a686/nscd/netgroupcache.c glibc-2.17-c758a686/nscd/netgroupcache.c
5de29b
index 5d15aa4..820d823 100644
12745e
--- glibc-2.17-c758a686/nscd/netgroupcache.c
12745e
+++ glibc-2.17-c758a686/nscd/netgroupcache.c
5de29b
@@ -216,6 +216,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
5de29b
 			    const char *nuser = data.val.triple.user;
5de29b
 			    const char *ndomain = data.val.triple.domain;
5de29b
 
5de29b
+			    size_t hostlen = strlen (nhost ?: "") + 1;
5de29b
+			    size_t userlen = strlen (nuser ?: "") + 1;
5de29b
+			    size_t domainlen = strlen (ndomain ?: "") + 1;
5de29b
+
5de29b
 			    if (nhost == NULL || nuser == NULL || ndomain == NULL
5de29b
 				|| nhost > nuser || nuser > ndomain)
5de29b
 			      {
5de29b
@@ -233,9 +237,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
5de29b
 				     : last + strlen (last) + 1 - buffer);
5de29b
 
5de29b
 				/* We have to make temporary copies.  */
5de29b
-				size_t hostlen = strlen (nhost ?: "") + 1;
5de29b
-				size_t userlen = strlen (nuser ?: "") + 1;
5de29b
-				size_t domainlen = strlen (ndomain ?: "") + 1;
5de29b
 				size_t needed = hostlen + userlen + domainlen;
5de29b
 
5de29b
 				if (buflen - req->key_len - bufused < needed)
5de29b
@@ -269,9 +270,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
5de29b
 			      }
5de29b
 
5de29b
 			    char *wp = buffer + buffilled;
5de29b
-			    wp = stpcpy (wp, nhost) + 1;
5de29b
-			    wp = stpcpy (wp, nuser) + 1;
5de29b
-			    wp = stpcpy (wp, ndomain) + 1;
5de29b
+			    wp = memmove (wp, nhost ?: "", hostlen);
5de29b
+			    wp += hostlen;
5de29b
+			    wp = memmove (wp, nuser ?: "", userlen);
5de29b
+			    wp += userlen;
5de29b
+			    wp = memmove (wp, ndomain ?: "", domainlen);
5de29b
+			    wp += domainlen;
5de29b
 			    buffilled = wp - buffer;
5de29b
 			    ++nentries;
5de29b
 			  }