src/patches/glibc/glibc-rh1082379.patch

   1 commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a
   2 Author: Siddhesh Poyarekar <siddhesh@redhat.com>
   3 Date:   Thu Mar 27 19:48:15 2014 +0530
   4
   5     Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)
   6
   7     Calls to stpcpy from nscd netgroups code will have overlapping source
   8     and destination when all three values in the returned triplet are
   9     non-NULL and in the expected (host,user,domain) order.  This is seen
  10     in valgrind as:
  11
  12     ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48)
  13     ==3181==    at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
  14     ==3181==    by 0x12567A: addgetnetgrentX (string3.h:111)
  15     ==3181==    by 0x12722D: addgetnetgrent (netgroupcache.c:665)
  16     ==3181==    by 0x11114C: nscd_run_worker (connections.c:1338)
  17     ==3181==    by 0x4E3C102: start_thread (pthread_create.c:309)
  18     ==3181==    by 0x59B81AC: clone (clone.S:111)
  19     ==3181==
  20
  21     Fix this by using memmove instead of stpcpy.
  22
  23 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
  24 index 5d15aa4..820d823 100644
  25 --- a/nscd/netgroupcache.c
  26 +++ b/nscd/netgroupcache.c
  27 @@ -216,6 +216,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
  28                             const char *nuser = data.val.triple.user;
  29                             const char *ndomain = data.val.triple.domain;
  30
  31 +                           size_t hostlen = strlen (nhost ?: "") + 1;
  32 +                           size_t userlen = strlen (nuser ?: "") + 1;
  33 +                           size_t domainlen = strlen (ndomain ?: "") + 1;
  34 +
  35                             if (nhost == NULL || nuser == NULL || ndomain == NULL
  36                                 || nhost > nuser || nuser > ndomain)
  37                               {
  38 @@ -233,9 +237,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
  39                                      : last + strlen (last) + 1 - buffer);
  40
  41                                 /* We have to make temporary copies.  */
  42 -                               size_t hostlen = strlen (nhost ?: "") + 1;
  43 -                               size_t userlen = strlen (nuser ?: "") + 1;
  44 -                               size_t domainlen = strlen (ndomain ?: "") + 1;
  45                                 size_t needed = hostlen + userlen + domainlen;
  46
  47                                 if (buflen - req->key_len - bufused < needed)
  48 @@ -269,9 +270,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
  49                               }
  50
  51                             char *wp = buffer + buffilled;
  52 -                           wp = stpcpy (wp, nhost) + 1;
  53 -                           wp = stpcpy (wp, nuser) + 1;
  54 -                           wp = stpcpy (wp, ndomain) + 1;
  55 +                           wp = memmove (wp, nhost ?: "", hostlen);
  56 +                           wp += hostlen;
  57 +                           wp = memmove (wp, nuser ?: "", userlen);
  58 +                           wp += userlen;
  59 +                           wp = memmove (wp, ndomain ?: "", domainlen);
  60 +                           wp += domainlen;
  61                             buffilled = wp - buffer;
  62                             ++nentries;
  63                           }