|
|
|
|
commit af37a8a3496327a6e5617a2c76f17aa1e8db835e
|
|
|
|
|
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
|
|
Date: Mon Jan 27 11:32:44 2014 +0530
|
|
|
|
|
|
|
|
|
|
Avoid undefined behaviour in netgroupcache
|
|
|
|
|
|
|
|
|
|
Using a buffer after it has been reallocated is undefined behaviour,
|
|
|
|
|
so get offsets of the triplets in the old buffer before reallocating
|
|
|
|
|
it.
|
|
|
|
|
|
|
|
|
|
commit 5d41dadf31bc8a2f9c34c40d52a442d3794e405c
|
|
|
|
|
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
|
|
Date: Fri Jan 24 13:51:15 2014 +0530
|
|
|
|
|
|
|
|
|
|
Adjust pointers to triplets in netgroup query data (BZ #16474)
|
|
|
|
|
|
|
|
|
|
The _nss_*_getnetgrent_r query populates the netgroup results in the
|
|
|
|
|
allocated buffer and then sets the result triplet to point to strings
|
|
|
|
|
in the buffer. This is a problem when the buffer is reallocated since
|
|
|
|
|
the pointers to the triplet strings are no longer valid. The pointers
|
|
|
|
|
need to be adjusted so that they now point to strings in the
|
|
|
|
|
reallocated buffer.
|
|
|
|
|
|
|
|
|
|
commit 980cb5180e1b71224a57ca52b995c959b7148c09
|
|
|
|
|
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
|
|
Date: Thu Jan 16 10:20:22 2014 +0530
|
|
|
|
|
|
|
|
|
|
Don't use alloca in addgetnetgrentX (BZ #16453)
|
|
|
|
|
|
|
|
|
|
addgetnetgrentX has a buffer which is grown as per the needs of the
|
|
|
|
|
requested size either by using alloca or by falling back to malloc if
|
|
|
|
|
the size is larger than 1K. There are two problems with the alloca
|
|
|
|
|
bits: firstly, it doesn't really extend the buffer since it does not
|
|
|
|
|
use the return value of the extend_alloca macro, which is the location
|
|
|
|
|
of the reallocated buffer. Due to this the buffer does not actually
|
|
|
|
|
extend itself and hence a subsequent write may overwrite stuff on the
|
|
|
|
|
stack.
|
|
|
|
|
|
|
|
|
|
The second problem is more subtle - the buffer growth on the stack is
|
|
|
|
|
discontinuous due to block scope local variables. Combine that with
|
|
|
|
|
the fact that unlike realloc, extend_alloca does not copy over old
|
|
|
|
|
content and you have a situation where the buffer just has garbage in
|
|
|
|
|
the space where it should have had data.
|
|
|
|
|
|
|
|
|
|
This could have been fixed by adding code to copy over old data
|
|
|
|
|
whenever we call extend_alloca, but it seems unnecessarily
|
|
|
|
|
complicated. This code is not exactly a performance hotspot (it's
|
|
|
|
|
called when there is a cache miss, so factors like network lookup or
|
|
|
|
|
file reads will dominate over memory allocation/reallocation), so this
|
|
|
|
|
premature optimization is unnecessary.
|
|
|
|
|
|
|
|
|
|
Thanks Brad Hubbard <bhubbard@redhat.com> for his help with debugging
|
|
|
|
|
the problem.
|
|
|
|
|
|
|
|
|
|
diff -pruN glibc-2.17-c758a686/nscd/netgroupcache.c glibc-2.17-c758a686/nscd/netgroupcache.c
|
|
|
|
|
--- glibc-2.17-c758a686/nscd/netgroupcache.c 2014-04-09 12:13:58.618582111 +0530
|
|
|
|
|
+++ glibc-2.17-c758a686/nscd/netgroupcache.c 2014-04-09 12:07:21.486598665 +0530
|
|
|
|
|
@@ -93,7 +93,6 @@ addgetnetgrentX (struct database_dyn *db
|
|
|
|
|
size_t buffilled = sizeof (*dataset);
|
|
|
|
|
char *buffer = NULL;
|
|
|
|
|
size_t nentries = 0;
|
|
|
|
|
- bool use_malloc = false;
|
|
|
|
|
size_t group_len = strlen (key) + 1;
|
|
|
|
|
union
|
|
|
|
|
{
|
|
|
|
|
@@ -138,7 +137,7 @@ addgetnetgrentX (struct database_dyn *db
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset (&data, '\0', sizeof (data));
|
|
|
|
|
- buffer = alloca (buflen);
|
|
|
|
|
+ buffer = xmalloc (buflen);
|
|
|
|
|
first_needed.elem.next = &first_needed.elem;
|
|
|
|
|
memcpy (first_needed.elem.name, key, group_len);
|
|
|
|
|
data.needed_groups = &first_needed.elem;
|
|
|
|
|
@@ -218,21 +217,24 @@ addgetnetgrentX (struct database_dyn *db
|
|
|
|
|
|
|
|
|
|
if (buflen - req->key_len - bufused < needed)
|
|
|
|
|
{
|
|
|
|
|
- size_t newsize = MAX (2 * buflen,
|
|
|
|
|
- buflen + 2 * needed);
|
|
|
|
|
- if (use_malloc || newsize > 1024 * 1024)
|
|
|
|
|
- {
|
|
|
|
|
- buflen = newsize;
|
|
|
|
|
- char *newbuf = xrealloc (use_malloc
|
|
|
|
|
- ? buffer
|
|
|
|
|
- : NULL,
|
|
|
|
|
- buflen);
|
|
|
|
|
-
|
|
|
|
|
- buffer = newbuf;
|
|
|
|
|
- use_malloc = true;
|
|
|
|
|
- }
|
|
|
|
|
- else
|
|
|
|
|
- extend_alloca (buffer, buflen, newsize);
|
|
|
|
|
+ buflen += MAX (buflen, 2 * needed);
|
|
|
|
|
+ /* Save offset in the old buffer. We don't
|
|
|
|
|
+ bother with the NULL check here since
|
|
|
|
|
+ we'll do that later anyway. */
|
|
|
|
|
+ size_t nhostdiff = nhost - buffer;
|
|
|
|
|
+ size_t nuserdiff = nuser - buffer;
|
|
|
|
|
+ size_t ndomaindiff = ndomain - buffer;
|
|
|
|
|
+
|
|
|
|
|
+ char *newbuf = xrealloc (buffer, buflen);
|
|
|
|
|
+ /* Fix up the triplet pointers into the new
|
|
|
|
|
+ buffer. */
|
|
|
|
|
+ nhost = (nhost ? newbuf + nhostdiff
|
|
|
|
|
+ : NULL);
|
|
|
|
|
+ nuser = (nuser ? newbuf + nuserdiff
|
|
|
|
|
+ : NULL);
|
|
|
|
|
+ ndomain = (ndomain ? newbuf + ndomaindiff
|
|
|
|
|
+ : NULL);
|
|
|
|
|
+ buffer = newbuf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nhost = memcpy (buffer + bufused,
|
|
|
|
|
@@ -299,18 +301,8 @@ addgetnetgrentX (struct database_dyn *db
|
|
|
|
|
}
|
|
|
|
|
else if (status == NSS_STATUS_UNAVAIL && e == ERANGE)
|
|
|
|
|
{
|
|
|
|
|
- size_t newsize = 2 * buflen;
|
|
|
|
|
- if (use_malloc || newsize > 1024 * 1024)
|
|
|
|
|
- {
|
|
|
|
|
- buflen = newsize;
|
|
|
|
|
- char *newbuf = xrealloc (use_malloc
|
|
|
|
|
- ? buffer : NULL, buflen);
|
|
|
|
|
-
|
|
|
|
|
- buffer = newbuf;
|
|
|
|
|
- use_malloc = true;
|
|
|
|
|
- }
|
|
|
|
|
- else
|
|
|
|
|
- extend_alloca (buffer, buflen, newsize);
|
|
|
|
|
+ buflen *= 2;
|
|
|
|
|
+ buffer = xrealloc (buffer, buflen);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -446,8 +438,7 @@ addgetnetgrentX (struct database_dyn *db
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
- if (use_malloc)
|
|
|
|
|
- free (buffer);
|
|
|
|
|
+ free (buffer);
|
|
|
|
|
|
|
|
|
|
*resultp = dataset;
|
|
|
|
|
|
