about summary refs log tree commit diff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2004-11-10 07:50:03 +0000
committerUlrich Drepper <drepper@redhat.com>2004-11-10 07:50:03 +0000
commit5429ff760a5544a34c5f05f16c01a7dffa505604 (patch)
treeff81df09d20cae4092329dc25a3ed32fe7c0fc66
parent81b5ae0811c4da3701d08afa07a9b9159aac56e5 (diff)
downloadglibc-5429ff760a5544a34c5f05f16c01a7dffa505604.tar.gz
glibc-5429ff760a5544a34c5f05f16c01a7dffa505604.tar.xz
glibc-5429ff760a5544a34c5f05f16c01a7dffa505604.zip
(libc_locked_map_ptr): Add new first parameter, used as class for definition.
	* nscd/nscd-client.h (libc_locked_map_ptr): Add new first
	parameter, used as class for definition.
	* nscd/nscd_getpw_r.c: Adjust for libc_locked_map_ptr change.
	(pw_map_free): Ensure no crash after memory is freed.
	* nscd/nscd_getgr.c: Likewise.  Make map externally visible.
	* nscd/nscd_gethst.c: Likewise.
	* nscd/nscd_getai.c: Use map from nscd_gethost.c.
	* nscd/nscd_initgroups.c: Use map from nscd_getgr.c.
-rw-r--r--ChangeLog9
-rw-r--r--nscd/nscd-client.h2
-rw-r--r--nscd/nscd_getai.c7
-rw-r--r--nscd/nscd_getgr_r.c16
-rw-r--r--nscd/nscd_gethst_r.c10
-rw-r--r--nscd/nscd_getpw_r.c22
6 files changed, 61 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 48c8d706d4..8adec4449d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2004-11-09  Ulrich Drepper  <drepper@redhat.com>
 
+	* nscd/nscd-client.h (libc_locked_map_ptr): Add new first
+	parameter, used as class for definition.
+	* nscd/nscd_getpw_r.c: Adjust for libc_locked_map_ptr change.
+	(pw_map_free): Ensure no crash after memory is freed.
+	* nscd/nscd_getgr.c: Likewise.  Make map externally visible.
+	* nscd/nscd_gethst.c: Likewise.
+	* nscd/nscd_getai.c: Use map from nscd_gethost.c.
+	* nscd/nscd_initgroups.c: Use map from nscd_getgr.c.
+
 	* nscd/nscd_getai.c: Add some checks to detect corrupt databases.
 	* nscd/nscd_getgr_r.c: Likewise
 	* nscd/nscd_gethst_r.c: Likewise.
diff --git a/nscd/nscd-client.h b/nscd/nscd-client.h
index 2e7f27b8d5..d49cb8136c 100644
--- a/nscd/nscd-client.h
+++ b/nscd/nscd-client.h
@@ -264,7 +264,7 @@ struct locked_map_ptr
   int lock;
   struct mapped_database *mapped;
 };
-#define libc_locked_map_ptr(name) static struct locked_map_ptr name
+#define libc_locked_map_ptr(class, name) class struct locked_map_ptr name
 
 
 /* Open socket connection to nscd server.  */
diff --git a/nscd/nscd_getai.c b/nscd/nscd_getai.c
index a683976d87..390b981f99 100644
--- a/nscd/nscd_getai.c
+++ b/nscd/nscd_getai.c
@@ -142,6 +142,12 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop)
 	  /* Copy the data in the block.  */
 	  memcpy (resultbuf + 1, respdata, datalen);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->canon != NULL
+	      && resultbuf->canon[ai_resp->canonlen - 1] != '\0')
+	    /* We cannot use the database.  */
+	    goto out_close;
+
 	  retval = 0;
 	  *result = resultbuf;
 	}
@@ -157,6 +163,7 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop)
       retval = 0;
     }
 
+ out_close:
   if (sock != -1)
     close_not_cancel_no_status (sock);
  out:
diff --git a/nscd/nscd_getgr_r.c b/nscd/nscd_getgr_r.c
index 1b94bf584f..fc10d3ea60 100644
--- a/nscd/nscd_getgr_r.c
+++ b/nscd/nscd_getgr_r.c
@@ -204,7 +204,8 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
       else
 	/* We already have the data.  Just copy the group name and
 	   password.  */
-	memcpy (resultbuf->gr_name, gr_name, gr_name_len);
+	memcpy (resultbuf->gr_name, gr_name,
+		gr_resp->gr_name_len + gr_resp->gr_passwd_len);
 
       /* Clear the terminating entry.  */
       resultbuf->gr_mem[gr_resp->gr_mem_cnt] = NULL;
@@ -242,6 +243,19 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
 	  /* Copy the group member names.  */
 	  memcpy (resultbuf->gr_mem[0], gr_name + gr_name_len, total_len);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->gr_name[gr_name_len - 1] != '\0'
+	      || resultbuf->gr_passwd[gr_resp->gr_passwd_len - 1] != '\0'
+	      || ({for (cnt = 0; cnt < gr_resp->gr_mem_cnt; ++cnt)
+		     if (resultbuf->gr_mem[cnt][len[cnt] - 1] != '\0')
+		       break;
+	  	   cnt < gr_resp->gr_mem_cnt; }))
+	    {
+	      /* We cannot use the database.  */
+	      retval = -1;
+	      goto out_close;
+	    }
+
 	  *result = resultbuf;
 	}
     }
diff --git a/nscd/nscd_gethst_r.c b/nscd/nscd_gethst_r.c
index 407be1441f..64d02fedc7 100644
--- a/nscd/nscd_gethst_r.c
+++ b/nscd/nscd_gethst_r.c
@@ -336,6 +336,16 @@ nscd_gethst_r (const char *key, size_t keylen, request_type type,
 	  memcpy (resultbuf->h_aliases[0],
 		  (const char *) addr_list + addr_list_len, total_len);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->h_name[hst_resp->h_name_len - 1] != '\0'
+	      || ({for (cnt = 0; cnt < hst_resp->h_aliases_cnt; ++cnt)
+		     if (resultbuf->h_aliases[cnt][aliases_len[cnt] - 1]
+			 != '\0')
+		       break;
+		   cnt < hst_resp->h_aliases_cnt; }))
+	    /* We cannot use the database.  */
+	    goto out_close;
+
 	  retval = 0;
 	  *result = resultbuf;
 	}
diff --git a/nscd/nscd_getpw_r.c b/nscd/nscd_getpw_r.c
index b04dcfaa99..fe5fb43ca1 100644
--- a/nscd/nscd_getpw_r.c
+++ b/nscd/nscd_getpw_r.c
@@ -66,14 +66,18 @@ __nscd_getpwuid_r (uid_t uid, struct passwd *resultbuf, char *buffer,
 }
 
 
-libc_locked_map_ptr (map_handle);
+libc_locked_map_ptr (static, map_handle);
 /* Note that we only free the structure if necessary.  The memory
    mapping is not removed since it is not visible to the malloc
    handling.  */
-libc_freeres_fn (gr_map_free)
+libc_freeres_fn (pw_map_free)
 {
   if (map_handle.mapped != NO_MAPPING)
-    free (map_handle.mapped);
+    {
+      void *p = map_handle.mapped;
+      map_handle.mapped = NO_MAPPING;
+      free (p);
+    }
 }
 
 
@@ -184,6 +188,18 @@ nscd_getpw_r (const char *key, size_t keylen, request_type type,
 	  /* Copy the various strings.  */
 	  memcpy (resultbuf->pw_name, pw_name, total);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->pw_name[pw_resp->pw_name_len - 1] != '\0'
+	      || resultbuf->pw_passwd[pw_resp->pw_passwd_len - 1] != '\0'
+	      || resultbuf->pw_gecos[pw_resp->pw_gecos_len - 1] != '\0'
+	      || resultbuf->pw_dir[pw_resp->pw_dir_len - 1] != '\0'
+	      || resultbuf->pw_shell[pw_resp->pw_shell_len - 1] != '\0')
+	    {
+	      /* We cannot use the database.  */
+	      retval = -1;
+	      goto out_close;
+	    }
+
 	  *result = resultbuf;
 	}
     }