aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSiddhesh Poyarekar <siddhesh@redhat.com>2014-01-27 16:49:33 +0530
committerSiddhesh Poyarekar <siddhesh@redhat.com>2014-01-27 16:49:33 +0530
commitd7b00f98106a0f1e3d753b135eeb97dfdf6e2e74 (patch)
tree4b8860ccb6e18818323f06063edba56aa4f2d3d3
parentaf37a8a3496327a6e5617a2c76f17aa1e8db835e (diff)
downloadglibc-d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74.tar
glibc-d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74.tar.gz
glibc-d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74.tar.bz2
glibc-d7b00f98106a0f1e3d753b135eeb97dfdf6e2e74.zip
Fix invalid memory access when parsing netgroup files with blank lines (BZ #16506)
The netgroups file parsing code tries to access the character before the newline in parsed lines to see if it is a backslash (\). This results in an access before the block allocated for the line if the line is blank, i.e. does not have anything other than the newline character. This doesn't seem like it will cause any crashes because the byte belongs to the malloc metadata block and hence access to it will always succeed. There could be an invalid alteration in code flow where a blank line is seen as a continuation due to the preceding byte *happening* to be '\\'. This could be done by interposing malloc, but that's not really a security problem since one could interpose getnetgrent_r itself and achieve a similar 'exploit'. The possibility of actually exploiting this is remote to impossible since it also requires the previous line to end with a '\\', which would happen only on invalid configurations.
-rw-r--r--ChangeLog4
-rw-r--r--nss/nss_files/files-netgrp.c3
2 files changed, 6 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index a1f549e655..322ec08cc5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
2014-01-27 Siddhesh Poyarekar <siddhesh@redhat.com>
+ [BZ #16506]
+ * nss/nss_files/files-netgrp.c (_nss_files_setnetgrent): Avoid
+ access beyond array bounds when parsing netgroups file.
+
* nscd/netgroupcache.c (addgetnetgrentX): Compute offset from
the old buffer before realloc.
diff --git a/nss/nss_files/files-netgrp.c b/nss/nss_files/files-netgrp.c
index 339f704c93..34eae4c5be 100644
--- a/nss/nss_files/files-netgrp.c
+++ b/nss/nss_files/files-netgrp.c
@@ -103,7 +103,8 @@ _nss_files_setnetgrent (const char *group, struct __netgrent *result)
result->cursor += (curlen - group_len) - 1;
}
- while (line[curlen - 1] == '\n' && line[curlen - 2] == '\\')
+ while (curlen > 1 && line[curlen - 1] == '\n'
+ && line[curlen - 2] == '\\')
{
/* Yes, we have a continuation line. */
if (found)