[BZ #22342] Fix netgroup cache keys.

Unlike other nscd caches, the netgroup cache contains two types of
records - those for "iterate through a netgroup" (i.e. setnetgrent())
and those for "is this user in this netgroup" (i.e. innetgr()),
i.e. full and partial records.  The timeout code assumes these records
have the same key for the group name, so that the collection of records
that is "this netgroup" can be expired as a unit.

However, the keys are not the same, as the in-netgroup key is generated
by nscd rather than being passed to it from elsewhere, and is generated
without the trailing NUL.  All other keys have the trailing NUL, and as
noted in the linked BZ, debug statements confirm that two keys for the
same netgroup are added to the cache with two different lengths.

The result of this is that as records in the cache expire, the purge
code only cleans out one of the two types of entries, resulting in
stale, possibly incorrect, and possibly inconsistent cache data.

The patch simply includes the existing NUL in the computation for the
key length ('key' points to the char after the NUL, and 'group' to the
first char of the group, so 'key-group' includes the first char to the
NUL, inclusive).

	[BZ #22342]
	* nscd/netgroupcache.c (addinnetgrX): Include trailing NUL in
	key value.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 1c81d55fc4b07b51adf68558ba74ce975153e580)

diff --git a/ChangeLog b/ChangeLog
index a32ba57fc3c94f78f73da34196ff19fc9f086b2b..89df4d1577b62e5f72f617307b793dbf1627eae7 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-03-01  DJ Delorie  <dj@delorie.com>
+
+       [BZ #22342]
+       * nscd/netgroupcache.c (addinnetgrX): Include trailing NUL in
+       key value.
+
 2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
            Max Horn  <max@quendi.de>
 

diff --git a/NEWS b/NEWS
index a8016a054a07506868ef3e4b137902fe4f07de03..4deb16c7c7308631f2b72ecd58faecdc1dcd22be 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -107,6 +107,7 @@ The following bugs are resolved with this release:
   [22321] sysconf: Fix missing definition of UIO_MAXIOV on Linux
   [22322] libc: [mips64] wrong bits/long-double.h installed
   [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671)
+  [22342] NSCD not properly caching netgroup
   [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485)
   [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
   [22377] Provide a C++ version of iseqsig

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index cd0c3ea19b220f738ddc571c96fcf79b6168de0b..741c3bba2b22f1755f20a14ac99df5c5a0b318ed 100644 (file)
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -480,7 +480,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 {
   const char *group = key;
   key = (char *) rawmemchr (key, '\0') + 1;
-  size_t group_len = key - group - 1;
+  size_t group_len = key - group;
   const char *host = *key++ ? key : NULL;
   if (host != NULL)
     key = (char *) rawmemchr (key, '\0') + 1;