diff options
| author | Ulrich Drepper <drepper@redhat.com> | 2006-10-02 16:34:25 +0000 |
|---|---|---|
| committer | Ulrich Drepper <drepper@redhat.com> | 2006-10-02 16:34:25 +0000 |
| commit | 0b25a49a94f6d125456f1f3ac70ca7b330b69eda (patch) | |
| tree | 8f771fa4395563fce64c1b4eff22a5649fb7c6fa /nscd/nscd_helper.c | |
| parent | a128674505078487ccd21b1af49734ea7feb769a (diff) | |
| download | glibc-0b25a49a94f6d125456f1f3ac70ca7b330b69eda.tar.gz glibc-0b25a49a94f6d125456f1f3ac70ca7b330b69eda.tar.xz glibc-0b25a49a94f6d125456f1f3ac70ca7b330b69eda.zip | |
* nscd/mem.c (mempool_alloc): Round array size to 16 bytes
in oldtotal and newtotal calculation. * nscd/nscd-client.h (struct mapped_database): Add datasize field. * nscd/nscd_helper.c (get_mapping): Initialize datasize field. (__nscd_get_map_ref): Get a new mapping even if mapping's data_size increased. (__nscd_cache_search): Add checks to make sure we never reference data beyond the current mapping.
Diffstat (limited to 'nscd/nscd_helper.c')
| -rw-r--r-- | nscd/nscd_helper.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nscd/nscd_helper.c b/nscd/nscd_helper.c index 1dfe746d7a..7c45981586 100644 --- a/nscd/nscd_helper.c +++ b/nscd/nscd_helper.c @@ -290,6 +290,7 @@ get_mapping (request_type type, const char *key, newp->data = ((char *) mapping + head.header_size + roundup (head.module * sizeof (ref_t), ALIGN)); newp->mapsize = size; + newp->datasize = head.data_size; /* Set counter to 1 to show it is usable. */ newp->counter = 1; @@ -340,7 +341,8 @@ __nscd_get_map_ref (request_type type, const char *name, /* If not mapped or timestamp not updated, request new map. */ if (cur == NULL || (cur->head->nscd_certainly_running == 0 - && cur->head->timestamp + MAPPING_TIMEOUT < time (NULL))) + && cur->head->timestamp + MAPPING_TIMEOUT < time (NULL)) + || cur->head->data_size > cur->datasize) cur = get_mapping (type, name, (struct mapped_database **) &mapptr->mapped); @@ -365,14 +367,18 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen, const struct mapped_database *mapped) { unsigned long int hash = __nis_hash (key, keylen) % mapped->head->module; + size_t datasize = mapped->datasize; ref_t work = mapped->head->array[hash]; - while (work != ENDREF) + while (work != ENDREF && work + sizeof (struct hashentry) <= datasize) { struct hashentry *here = (struct hashentry *) (mapped->data + work); - if (type == here->type && keylen == here->len - && memcmp (key, mapped->data + here->key, keylen) == 0) + if (type == here->type + && keylen == here->len + && here->key + here->len <= datasize + && memcmp (key, mapped->data + here->key, keylen) == 0 + && here->packet + sizeof (struct datahead) <= datasize) { /* We found the entry. Increment the appropriate counter. */ const struct datahead *dh @@ -380,8 +386,7 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen, /* See whether we must ignore the entry or whether something is wrong because garbage collection is in progress. */ - if (dh->usable && ((char *) dh + dh->allocsize - <= (char *) mapped->head + mapped->mapsize)) + if (dh->usable && here->packet + dh->allocsize <= datasize) return dh; } |