nscd_getpw_r() will free() on a static buffer passed in to it when called by getpwnam() and friends. This can be seen by simple code inspection in nscd/nscd_getpw_r.c. (discussion is based on CVS version 1.30 which is the current MAIN). The following excerpt are a few lines of nscd/nscd_getpw_r.c: 86:nscd_getpw_r (...) 96: retry:; 142: resultbuf->pw_uid = pw_resp->pw_uid; 203: if (__nscd_drop_map_ref (mapped, &gc_cycle) != 0 && retval != -1) 230: free (resultbuf); 232: goto retry; The above shows that if there has been a GC cycle that resultbuf is freed and then reused in the next retry. That's incorrect. It is also incorrect in that resultbuf is passed in, and it can be a buffer that's not from the heap. This turns up in a simple getpwnam() call made during a GC cycle. This tries to free the resbuf in getpwnam and thus dumps core. Suggested fix: remove free(resultbuf) (line 230).
Created attachment 665 [details] glibc_1363_testcase1.c C source that might coredump; it just calls getpwnam() on different non-existing users. It coredumps the first call after the nscd daemon does GC. This is easiest to see by running the attached program and "nscd -d -d -d -d" in two adjacent sessions. As soon as I see "remove GETPWBYNAME entry "....."" by nscd the test program aborts. (Originally found on SuSE 9.3 x86_64 w/ glibc-2.3.4-23.4)
Fixed on CVS trunk.