Provide correct buffer length to netgroup queries in nscd (BZ #16695)

The buffer to query netgroup entries is allocated sufficient space for
the netgroup entries and the key to be appended at the end, but it
sends in an incorrect available length to the NSS netgroup query
functions, resulting in overflow of the buffer in some special cases.
The fix here is to factor in the key length when sending the available
buffer and buffer length to the query functions.

diff --git a/ChangeLog b/ChangeLog
index 21bd6210fb5a3579ff126e777acd8809b118879a..ef301d8c3754bc07626881370703a9127aa3611f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-03-12  Siddhesh Poyarekar  <siddhesh@redhat.com>
+
+       [BZ #16695]
+       * nscd/netgroupcache.c (addgetnetgrentX): Factor in space for
+       key in the buffer.
+
 2014-03-12  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
 
        * sysdeps/powerpc/powerpc64/multiarch/strspn.c (strspn): Build IFUNC

diff --git a/NEWS b/NEWS
index 51ccb27f5f2b66c1ee6d4b94b82ac70a92d6934f..483eff1131d09426e054f5a8be24d8ca674f33e4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.20
 * The following bugs are resolved with this release:
 
   15347, 15804, 15894, 16447, 16532, 16545, 16574, 16600, 16609, 16610,
-  16611, 16613, 16623, 16632, 16639, 16670, 16674, 16677, 16683.
+  16611, 16613, 16623, 16632, 16639, 16670, 16674, 16677, 16683, 16695.
 
 * The am33 port, which had not worked for several years, has been removed
   from ports.

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index 426d3c5e396bb0d21b4926f91233063f4b97b9eb..5ba1e1f27752961895a1cad5ecbd493b39ed8fc3 100644 (file)
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -202,7 +202,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
                  {
                    int e;
                    status = getfct.f (&data, buffer + buffilled,
-                                      buflen - buffilled, &e);
+                                      buflen - buffilled - req->key_len, &e);
                    if (status == NSS_STATUS_RETURN
                        || status == NSS_STATUS_NOTFOUND)
                      /* This was either the last one for this group or the