diff options
author | Florian Weimer <fweimer@redhat.com> | 2024-04-25 15:01:07 +0200 |
---|---|---|
committer | Andreas K. Hüttel <dilfridge@gentoo.org> | 2024-04-26 17:26:45 +1100 |
commit | f4b9ce964bbc9a8a7b42f102b7fbbf6fb45ff49d (patch) | |
tree | c668bc13be9cd319395a0290283d7cc89a4c37cf | |
parent | CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) (diff) | |
download | glibc-f4b9ce964bbc9a8a7b42f102b7fbbf6fb45ff49d.tar.gz glibc-f4b9ce964bbc9a8a7b42f102b7fbbf6fb45ff49d.tar.bz2 glibc-f4b9ce964bbc9a8a7b42f102b7fbbf6fb45ff49d.zip |
CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678)
If we failed to add a not-found response to the cache, the dataset
point can be null, resulting in a null pointer dereference.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)
(cherry picked from commit 541ea5172aa658c4bd5c6c6d6fd13903c3d5bb0a)
-rw-r--r-- | nscd/netgroupcache.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 31b721bbee..32c6aef370 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, /* No such service. */ cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } memset (&data, '\0', sizeof (data)); @@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, { cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } total = buffilled; @@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } if (he == NULL && fd != -1) - { - /* We write the dataset before inserting it to the database - since while inserting this thread might block and so would - unnecessarily let the receiver wait. */ - writeout: + /* We write the dataset before inserting it to the database since + while inserting this thread might block and so would + unnecessarily let the receiver wait. */ writeall (fd, &dataset->resp, dataset->head.recsize); - } + maybe_cache_add: if (cacheable) { /* If necessary, we also propagate the data to disk. */ |