summaryrefslogtreecommitdiff
path: root/0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
diff options
context:
space:
mode:
authorCoprDistGit <infra@openeuler.org>2024-10-09 03:36:26 +0000
committerCoprDistGit <infra@openeuler.org>2024-10-09 03:36:26 +0000
commitdb43dfdfa8bc2b938582aef3d87e43594c13ee50 (patch)
tree47b95b2f6ac8d8b7e6fa373a5bd7d661bf7234df /0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
parentb933872de72b006230559f77acc3ccfb38a1f343 (diff)
automatic import of glibcopeneuler20.03
Diffstat (limited to '0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch')
-rw-r--r--0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch38
1 files changed, 38 insertions, 0 deletions
diff --git a/0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch b/0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
new file mode 100644
index 0000000..2188c60
--- /dev/null
+++ b/0020-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
@@ -0,0 +1,38 @@
+From 5968aebb86164034b8f8421b4abab2f837a5bdaf Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:00:45 +0200
+Subject: [PATCH 20/26] CVE-2024-33599: nscd: Stack-based buffer overflow in
+ netgroup cache (bug 31677)
+
+Using alloca matches what other caches do. The request length is
+bounded by MAXKEYLEN.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
+---
+ nscd/netgroupcache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 06b7d7b6ca..31b721bbee 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+ = (struct indataset *) mempool_alloc (db,
+ sizeof (*dataset) + req->key_len,
+ 1);
+- struct indataset dataset_mem;
+ bool cacheable = true;
+ if (__glibc_unlikely (dataset == NULL))
+ {
+ cacheable = false;
+- dataset = &dataset_mem;
++ /* The alloca is safe because nscd_run_worker verfies that
++ key_len is not larger than MAXKEYLEN. */
++ dataset = alloca (sizeof (*dataset) + req->key_len);
+ }
+
+ datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
+--
+2.33.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-14 12:02:03 +0000