wok-current view glibc/stuff/CVE-2024-33599.patch @ rev 25728
Merge wok for both arch and few updates
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Dec 05 08:39:45 2024 +0000 (5 weeks ago) |
| parents | |
| children |
line source
1 From 5c75001a96abcd50cbdb74df24c3f013188d076e Mon Sep 17 00:00:00 2001
2 From: Florian Weimer <fweimer@redhat.com>
3 Date: Thu, 25 Apr 2024 15:00:45 +0200
4 Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
5 cache (bug 31677)
7 Using alloca matches what other caches do. The request length is
8 bounded by MAXKEYLEN.
10 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
11 (cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
12 ---
13 nscd/netgroupcache.c | 5 +++--
14 1 file changed, 3 insertions(+), 2 deletions(-)
16 diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
17 index ad2daddafdc..8835547acfa 100644
18 --- a/nscd/netgroupcache.c
19 +++ b/nscd/netgroupcache.c
20 @@ -503,12 +503,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
21 = (struct indataset *) mempool_alloc (db,
22 sizeof (*dataset) + req->key_len,
23 1);
24 - struct indataset dataset_mem;
25 bool cacheable = true;
26 if (__glibc_unlikely (dataset == NULL))
27 {
28 cacheable = false;
29 - dataset = &dataset_mem;
30 + /* The alloca is safe because nscd_run_worker verfies that
31 + key_len is not larger than MAXKEYLEN. */
32 + dataset = alloca (sizeof (*dataset) + req->key_len);
33 }
35 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,