You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.1 KiB
31 lines
1.1 KiB
commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa |
|
Author: Florian Weimer <fweimer@redhat.com> |
|
Date: Thu Apr 25 15:00:45 2024 +0200 |
|
|
|
CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) |
|
|
|
Using alloca matches what other caches do. The request length is |
|
bounded by MAXKEYLEN. |
|
|
|
Reviewed-by: Carlos O'Donell <carlos@redhat.com> |
|
|
|
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c |
|
index 0c6e46f15c..f227dc7fa2 100644 |
|
--- a/nscd/netgroupcache.c |
|
+++ b/nscd/netgroupcache.c |
|
@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, |
|
= (struct indataset *) mempool_alloc (db, |
|
sizeof (*dataset) + req->key_len, |
|
1); |
|
- struct indataset dataset_mem; |
|
bool cacheable = true; |
|
if (__glibc_unlikely (dataset == NULL)) |
|
{ |
|
cacheable = false; |
|
- dataset = &dataset_mem; |
|
+ /* The alloca is safe because nscd_run_worker verfies that |
|
+ key_len is not larger than MAXKEYLEN. */ |
|
+ dataset = alloca (sizeof (*dataset) + req->key_len); |
|
} |
|
|
|
datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
|
|
|