(libc_locked_map_ptr): Add new first parameter, used as class for definition.

	* nscd/nscd-client.h (libc_locked_map_ptr): Add new first
	parameter, used as class for definition.
	* nscd/nscd_getpw_r.c: Adjust for libc_locked_map_ptr change.
	(pw_map_free): Ensure no crash after memory is freed.
	* nscd/nscd_getgr.c: Likewise.  Make map externally visible.
	* nscd/nscd_gethst.c: Likewise.
	* nscd/nscd_getai.c: Use map from nscd_gethost.c.
	* nscd/nscd_initgroups.c: Use map from nscd_getgr.c.

1 files changed, 19 insertions, 3 deletions

diff --git a/nscd/nscd_getpw_r.c b/nscd/nscd_getpw_r.c
index b04dcfaa99..fe5fb43ca1 100644
--- a/nscd/nscd_getpw_r.c
+++ b/nscd/nscd_getpw_r.c
@@ -66,14 +66,18 @@ __nscd_getpwuid_r (uid_t uid, struct passwd *resultbuf, char *buffer,
 }
 
 
-libc_locked_map_ptr (map_handle);
+libc_locked_map_ptr (static, map_handle);
 /* Note that we only free the structure if necessary.  The memory
    mapping is not removed since it is not visible to the malloc
    handling.  */
-libc_freeres_fn (gr_map_free)
+libc_freeres_fn (pw_map_free)
 {
   if (map_handle.mapped != NO_MAPPING)
-    free (map_handle.mapped);
+    {
+      void *p = map_handle.mapped;
+      map_handle.mapped = NO_MAPPING;
+      free (p);
+    }
 }
 
 
@@ -184,6 +188,18 @@ nscd_getpw_r (const char *key, size_t keylen, request_type type,
 	  /* Copy the various strings.  */
 	  memcpy (resultbuf->pw_name, pw_name, total);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->pw_name[pw_resp->pw_name_len - 1] != '\0'
+	      || resultbuf->pw_passwd[pw_resp->pw_passwd_len - 1] != '\0'
+	      || resultbuf->pw_gecos[pw_resp->pw_gecos_len - 1] != '\0'
+	      || resultbuf->pw_dir[pw_resp->pw_dir_len - 1] != '\0'
+	      || resultbuf->pw_shell[pw_resp->pw_shell_len - 1] != '\0')
+	    {
+	      /* We cannot use the database.  */
+	      retval = -1;
+	      goto out_close;
+	    }
+
 	  *result = resultbuf;
 	}
     }