Provide correct buffer length to netgroup queries in nscd (BZ #16695)

The buffer to query netgroup entries is allocated sufficient space for the netgroup entries and the key to be appended at the end, but it sends in an incorrect available length to the NSS netgroup query functions, resulting in overflow of the buffer in some special cases. The fix here is to factor in the key length when sending the available buffer and buffer length to the query functions.
git-mirror · Mar 12, 2014 · c44496d · c44496d
1 parent 27c7220
commit c44496d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+2014-03-12  Siddhesh Poyarekar  <siddhesh@redhat.com>
+
+	[BZ #16695]
+	* nscd/netgroupcache.c (addgetnetgrentX): Factor in space for
+	key in the buffer.
+
 2014-03-12  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
 
 	* sysdeps/powerpc/powerpc64/multiarch/strspn.c (strspn): Build IFUNC

diff --git a/NEWS b/NEWS
@@ -10,7 +10,7 @@ Version 2.20
 * The following bugs are resolved with this release:
 
   15347, 15804, 15894, 16447, 16532, 16545, 16574, 16600, 16609, 16610,
-  16611, 16613, 16623, 16632, 16639, 16670, 16674, 16677, 16683.
+  16611, 16613, 16623, 16632, 16639, 16670, 16674, 16677, 16683, 16695.
 
 * The am33 port, which had not worked for several years, has been removed
   from ports.

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
@@ -202,7 +202,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		  {
 		    int e;
 		    status = getfct.f (&data, buffer + buffilled,
-				       buflen - buffilled, &e);
+				       buflen - buffilled - req->key_len, &e);
 		    if (status == NSS_STATUS_RETURN
 			|| status == NSS_STATUS_NOTFOUND)
 		      /* This was either the last one for this group or the