|
 |
d8307d |
commit 745664bd798ec8fd50438605948eea594179fba1
|
|
|
d8307d |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
d8307d |
Date: Tue Aug 28 13:19:27 2018 +0200
|
|
|
d8307d |
|
|
|
d8307d |
nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]
|
|
|
d8307d |
|
|
|
d8307d |
addinnetgrX may use the heap-allocated buffer, so free the buffer
|
|
|
d8307d |
in this function.
|
|
|
d8307d |
|
|
|
d8307d |
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
|
|
d8307d |
index 2b35389cc816c3c8..87059fb28042f0a5 100644
|
|
|
d8307d |
--- a/nscd/netgroupcache.c
|
|
|
d8307d |
+++ b/nscd/netgroupcache.c
|
|
|
d8307d |
@@ -113,7 +113,8 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
static time_t
|
|
|
d8307d |
addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
const char *key, uid_t uid, struct hashentry *he,
|
|
|
d8307d |
- struct datahead *dh, struct dataset **resultp)
|
|
|
d8307d |
+ struct datahead *dh, struct dataset **resultp,
|
|
|
d8307d |
+ void **tofreep)
|
|
|
d8307d |
{
|
|
|
d8307d |
if (__glibc_unlikely (debug_level > 0))
|
|
|
d8307d |
{
|
|
|
d8307d |
@@ -139,6 +140,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
size_t group_len = strlen (key) + 1;
|
|
|
d8307d |
struct name_list *first_needed
|
|
|
d8307d |
= alloca (sizeof (struct name_list) + group_len);
|
|
|
d8307d |
+ *tofreep = NULL;
|
|
|
d8307d |
|
|
|
d8307d |
if (netgroup_database == NULL
|
|
|
d8307d |
&& __nss_database_lookup ("netgroup", NULL, NULL, &netgroup_database))
|
|
|
d8307d |
@@ -151,6 +153,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
|
|
|
d8307d |
memset (&data, '\0', sizeof (data));
|
|
|
d8307d |
buffer = xmalloc (buflen);
|
|
|
d8307d |
+ *tofreep = buffer;
|
|
|
d8307d |
first_needed->next = first_needed;
|
|
|
d8307d |
memcpy (first_needed->name, key, group_len);
|
|
|
d8307d |
data.needed_groups = first_needed;
|
|
|
d8307d |
@@ -439,8 +442,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
out:
|
|
|
d8307d |
- free (buffer);
|
|
|
d8307d |
-
|
|
|
d8307d |
*resultp = dataset;
|
|
|
d8307d |
|
|
|
d8307d |
return timeout;
|
|
|
d8307d |
@@ -477,8 +478,12 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
group, group_len,
|
|
|
d8307d |
db, uid);
|
|
|
d8307d |
time_t timeout;
|
|
|
d8307d |
+ void *tofree;
|
|
|
d8307d |
if (result != NULL)
|
|
|
d8307d |
- timeout = result->head.timeout;
|
|
|
d8307d |
+ {
|
|
|
d8307d |
+ timeout = result->head.timeout;
|
|
|
d8307d |
+ tofree = NULL;
|
|
|
d8307d |
+ }
|
|
|
d8307d |
else
|
|
|
d8307d |
{
|
|
|
d8307d |
request_header req_get =
|
|
|
d8307d |
@@ -487,7 +492,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
.key_len = group_len
|
|
|
d8307d |
};
|
|
|
d8307d |
timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
|
|
|
d8307d |
- &result);
|
|
|
d8307d |
+ &result, &tofree);
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
struct indataset
|
|
|
d8307d |
@@ -560,7 +565,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
++dh->nreloads;
|
|
|
d8307d |
if (cacheable)
|
|
|
d8307d |
pthread_rwlock_unlock (&db->lock);
|
|
|
d8307d |
- return timeout;
|
|
|
d8307d |
+ goto out;
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
if (he == NULL)
|
|
|
d8307d |
@@ -596,17 +601,30 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
dh->usable = false;
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
+ out:
|
|
|
d8307d |
+ free (tofree);
|
|
|
d8307d |
return timeout;
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
|
|
|
d8307d |
+static time_t
|
|
|
d8307d |
+addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
+ const char *key, uid_t uid, struct hashentry *he,
|
|
|
d8307d |
+ struct datahead *dh)
|
|
|
d8307d |
+{
|
|
|
d8307d |
+ struct dataset *ignore;
|
|
|
d8307d |
+ void *tofree;
|
|
|
d8307d |
+ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
|
|
|
d8307d |
+ &ignore, &tofree);
|
|
|
d8307d |
+ free (tofree);
|
|
|
d8307d |
+ return timeout;
|
|
|
d8307d |
+}
|
|
|
d8307d |
+
|
|
|
d8307d |
void
|
|
|
d8307d |
addgetnetgrent (struct database_dyn *db, int fd, request_header *req,
|
|
|
d8307d |
void *key, uid_t uid)
|
|
|
d8307d |
{
|
|
|
d8307d |
- struct dataset *ignore;
|
|
|
d8307d |
-
|
|
|
d8307d |
- addgetnetgrentX (db, fd, req, key, uid, NULL, NULL, &ignore);
|
|
|
d8307d |
+ addgetnetgrentX_ignore (db, fd, req, key, uid, NULL, NULL);
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
|
|
|
d8307d |
@@ -619,10 +637,8 @@ readdgetnetgrent (struct database_dyn *db, struct hashentry *he,
|
|
|
d8307d |
.type = GETNETGRENT,
|
|
|
d8307d |
.key_len = he->len
|
|
|
d8307d |
};
|
|
|
d8307d |
- struct dataset *ignore;
|
|
|
d8307d |
-
|
|
|
d8307d |
- return addgetnetgrentX (db, -1, &req, db->data + he->key, he->owner, he, dh,
|
|
|
d8307d |
- &ignore);
|
|
|
d8307d |
+ return addgetnetgrentX_ignore
|
|
|
d8307d |
+ (db, -1, &req, db->data + he->key, he->owner, he, dh);
|
|
|
d8307d |
}
|
|
|
d8307d |
|
|
|
d8307d |
|