This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Fix SEGV in nscd with only one remaining file descriptor


Running programs with only one free file descriptor, like:

ulimit -n 4
ls -l /

produces a SEGV in the nscd client code:

Core was generated by `ls -l /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000032c9efe781 in get_mapping (type=<value optimized out>,
    key=0x32c9f18b15 "passwd", mappedp=0x32ca14c888) at nscd_helper.c:245
245       if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
(gdb) p msg
$1 = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0x7fff3990a460,
  msg_iovlen = 1, msg_control = 0x7fff3990a440, msg_controllen = 0,
  msg_flags = 8}

msg_controllen is 0 so (CMSG_FIRSTHDR (&msg) is NULL.

The attached patch fixes this bug by checking CMSG_FIRSTHDR (&msg).


--- glibc-2.6-orig/nscd/nscd_helper.c
+++ glibc-2.6/nscd/nscd_helper.c
@@ -271,6 +271,9 @@ get_mapping (request_type type, const ch
   mapfd = *(int *) CMSG_DATA (cmsg);
+  if (__builtin_expect (!CMSG_FIRSTHDR (&msg), 0))
+    goto out_close;
   if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
 			!= CMSG_LEN (sizeof (int)), 0))
     goto out_close;

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]