mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-04 19:00:09 +00:00
nscd: Fix double free in netgroupcache [BZ #27462]
In commit745664bd79
a use-after-free was fixed, but this led to an occasional double-free. This patch tracks the "live" allocation better. Tested manually by a third party. Related: RHBZ 1927877 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commitdca565886b
)
This commit is contained in:
parent
2777e19c05
commit
c49cbcdc32
6
NEWS
6
NEWS
@ -99,6 +99,11 @@ Security related changes:
|
||||
CVE-2020-29562: An assertion failure has been fixed in the iconv function
|
||||
when invoked with UCS4 input containing an invalid character.
|
||||
|
||||
CVE-2021-27645: The nameserver caching daemon (nscd), when processing
|
||||
a request for netgroup lookup, may crash due to a double-free,
|
||||
potentially resulting in degraded service or Denial of Service on the
|
||||
local system. Reported by Chris Schanzle.
|
||||
|
||||
The following bugs are resolved with this release:
|
||||
|
||||
[6889] 'PWD' mentioned but not specified
|
||||
@ -195,6 +200,7 @@ The following bugs are resolved with this release:
|
||||
character sets (CVE-2020-27618)
|
||||
[26383] bind_textdomain_codeset doesn't accept //TRANSLIT anymore
|
||||
[26923] Assertion failure in iconv when converting invalid UCS4 (CVE-2020-29562)
|
||||
[27462] nscd: double-free in nscd (CVE-2021-27645)
|
||||
|
||||
|
||||
Version 2.27
|
||||
|
@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
: NULL);
|
||||
ndomain = (ndomain ? newbuf + ndomaindiff
|
||||
: NULL);
|
||||
buffer = newbuf;
|
||||
*tofreep = buffer = newbuf;
|
||||
}
|
||||
|
||||
nhost = memcpy (buffer + bufused,
|
||||
@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
|
||||
{
|
||||
buflen *= 2;
|
||||
buffer = xrealloc (buffer, buflen);
|
||||
*tofreep = buffer = xrealloc (buffer, buflen);
|
||||
}
|
||||
else if (status == NSS_STATUS_RETURN
|
||||
|| status == NSS_STATUS_NOTFOUND
|
||||
|
Loading…
Reference in New Issue
Block a user