wok-current annotate glibc/stuff/CVE-2024-33600-2.patch @ rev 25728

Merge wok for both arch and few updates
author Stanislas Leduc <shann@slitaz.org>
date Thu Dec 05 08:39:45 2024 +0000 (9 months ago)
parents
children
rev   line source
shann@25728 1 From e3eef1b8fbdd3a7917af466ca9c4b7477251ca79 Mon Sep 17 00:00:00 2001
shann@25728 2 From: Florian Weimer <fweimer@redhat.com>
shann@25728 3 Date: Thu, 25 Apr 2024 15:01:07 +0200
shann@25728 4 Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after
shann@25728 5 notfound response (bug 31678)
shann@25728 6
shann@25728 7 The addgetnetgrentX call in addinnetgrX may have failed to produce
shann@25728 8 a result, so the result variable in addinnetgrX can be NULL.
shann@25728 9 Use db->negtimeout as the fallback value if there is no result data;
shann@25728 10 the timeout is also overwritten below.
shann@25728 11
shann@25728 12 Also avoid sending a second not-found response. (The client
shann@25728 13 disconnects after receiving the first response, so the data stream did
shann@25728 14 not go out of sync even without this fix.) It is still beneficial to
shann@25728 15 add the negative response to the mapping, so that the client can get
shann@25728 16 it from there in the future, instead of going through the socket.
shann@25728 17
shann@25728 18 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
shann@25728 19 (cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2)
shann@25728 20 ---
shann@25728 21 nscd/netgroupcache.c | 11 +++++++----
shann@25728 22 1 file changed, 7 insertions(+), 4 deletions(-)
shann@25728 23
shann@25728 24 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
shann@25728 25 index f2e7d60b50e..aa9501a2c05 100644
shann@25728 26 --- a/nscd/netgroupcache.c
shann@25728 27 +++ b/nscd/netgroupcache.c
shann@25728 28 @@ -512,14 +512,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
shann@25728 29
shann@25728 30 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
shann@25728 31 sizeof (innetgroup_response_header),
shann@25728 32 - he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
shann@25728 33 + he == NULL ? 0 : dh->nreloads + 1,
shann@25728 34 + result == NULL ? db->negtimeout : result->head.ttl);
shann@25728 35 /* Set the notfound status and timeout based on the result from
shann@25728 36 getnetgrent. */
shann@25728 37 - dataset->head.notfound = result->head.notfound;
shann@25728 38 + dataset->head.notfound = result == NULL || result->head.notfound;
shann@25728 39 dataset->head.timeout = timeout;
shann@25728 40
shann@25728 41 dataset->resp.version = NSCD_VERSION;
shann@25728 42 - dataset->resp.found = result->resp.found;
shann@25728 43 + dataset->resp.found = result != NULL && result->resp.found;
shann@25728 44 /* Until we find a matching entry the result is 0. */
shann@25728 45 dataset->resp.result = 0;
shann@25728 46
shann@25728 47 @@ -567,7 +568,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
shann@25728 48 goto out;
shann@25728 49 }
shann@25728 50
shann@25728 51 - if (he == NULL)
shann@25728 52 + /* addgetnetgrentX may have already sent a notfound response. Do
shann@25728 53 + not send another one. */
shann@25728 54 + if (he == NULL && dataset->resp.found)
shann@25728 55 {
shann@25728 56 /* We write the dataset before inserting it to the database
shann@25728 57 since while inserting this thread might block and so would