* nscd/mem.c (mempool_alloc): Round array size to 16 bytes

	in oldtotal and newtotal calculation.
	* nscd/nscd-client.h (struct mapped_database): Add datasize
	field.
	* nscd/nscd_helper.c (get_mapping): Initialize datasize field.
	(__nscd_get_map_ref): Get a new mapping even if mapping's data_size
	increased.
	(__nscd_cache_search): Add checks to make sure we never reference
	data beyond the current mapping.

diff --git a/ChangeLog b/ChangeLog
index 9ddd2f580592f72ff6477d4ef703ef29fab9dace..27cb03cc4c9265bb68dfe7a7838927b9ec3f63a2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2006-10-02  Jakub Jelinek  <jakub@redhat.com>
+
+       * nscd/mem.c (mempool_alloc): Round array size to 16 bytes
+       in oldtotal and newtotal calculation.
+       * nscd/nscd-client.h (struct mapped_database): Add datasize
+       field.
+       * nscd/nscd_helper.c (get_mapping): Initialize datasize field.
+       (__nscd_get_map_ref): Get a new mapping even if mapping's data_size
+       increased.
+       (__nscd_cache_search): Add checks to make sure we never reference
+       data beyond the current mapping.
+
 2006-10-02  Dmitry V. Levin  <ldv@altlinux.org>
 
        * io/fts.c (fts_close): Remove redundant checks.

diff --git a/nscd/mem.c b/nscd/mem.c
index a41c0bdb074b8d97c491b7b106744167cb03604c..5206c5af38b9dd6d1da8f894f5f86badd0dd48f2 100644 (file)
--- a/nscd/mem.c
+++ b/nscd/mem.c
@@ -1,5 +1,5 @@
 /* Cache memory handling.
-   Copyright (C) 2004, 2005 Free Software Foundation, Inc.
+   Copyright (C) 2004, 2005, 2006 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@redhat.com>, 2004.
 
@@ -480,12 +480,12 @@ mempool_alloc (struct database_dyn *db, size_t len)
        {
          /* Try to resize the database.  Grow size of 1/8th.  */
          size_t oldtotal = (sizeof (struct database_pers_head)
-                            + db->head->module * sizeof (ref_t)
+                            + roundup (db->head->module * sizeof (ref_t), ALIGN)
                             + db->head->data_size);
          size_t new_data_size = (db->head->data_size
                                  + MAX (2 * len, db->head->data_size / 8));
          size_t newtotal = (sizeof (struct database_pers_head)
-                            + db->head->module * sizeof (ref_t)
+                            + roundup (db->head->module * sizeof (ref_t), ALIGN)
                             + new_data_size);
          if (newtotal > db->max_db_size)
            {

diff --git a/nscd/nscd-client.h b/nscd/nscd-client.h
index 440697f1becec3b1089ece145d20e4281d2fe694..0fd2d9f547e3ed0babb1a6b2d92d1a87bd8a9b85 100644 (file)
--- a/nscd/nscd-client.h
+++ b/nscd/nscd-client.h
@@ -258,6 +258,7 @@ struct mapped_database
   const char *data;
   size_t mapsize;
   int counter;         /* > 0 indicates it is usable.  */
+  size_t datasize;
 };
 #define NO_MAPPING ((struct mapped_database *) -1l)
 

diff --git a/nscd/nscd_helper.c b/nscd/nscd_helper.c
index 1dfe746d7a2d0b0d2272e405ea98786f021e3117..7c45981586696f0f3f467bc2a9f4c26b0b945b3e 100644 (file)
--- a/nscd/nscd_helper.c
+++ b/nscd/nscd_helper.c
@@ -290,6 +290,7 @@ get_mapping (request_type type, const char *key,
       newp->data = ((char *) mapping + head.header_size
                    + roundup (head.module * sizeof (ref_t), ALIGN));
       newp->mapsize = size;
+      newp->datasize = head.data_size;
       /* Set counter to 1 to show it is usable.  */
       newp->counter = 1;
 
@@ -340,7 +341,8 @@ __nscd_get_map_ref (request_type type, const char *name,
       /* If not mapped or timestamp not updated, request new map.  */
       if (cur == NULL
          || (cur->head->nscd_certainly_running == 0
-             && cur->head->timestamp + MAPPING_TIMEOUT < time (NULL)))
+             && cur->head->timestamp + MAPPING_TIMEOUT < time (NULL))
+         || cur->head->data_size > cur->datasize)
        cur = get_mapping (type, name,
                           (struct mapped_database **) &mapptr->mapped);
 
@@ -365,14 +367,18 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen,
                     const struct mapped_database *mapped)
 {
   unsigned long int hash = __nis_hash (key, keylen) % mapped->head->module;
+  size_t datasize = mapped->datasize;
 
   ref_t work = mapped->head->array[hash];
-  while (work != ENDREF)
+  while (work != ENDREF && work + sizeof (struct hashentry) <= datasize)
     {
       struct hashentry *here = (struct hashentry *) (mapped->data + work);
 
-      if (type == here->type && keylen == here->len
-         && memcmp (key, mapped->data + here->key, keylen) == 0)
+      if (type == here->type
+         && keylen == here->len
+         && here->key + here->len <= datasize
+         && memcmp (key, mapped->data + here->key, keylen) == 0
+         && here->packet + sizeof (struct datahead) <= datasize)
        {
          /* We found the entry.  Increment the appropriate counter.  */
          const struct datahead *dh
@@ -380,8 +386,7 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen,
 
          /* See whether we must ignore the entry or whether something
             is wrong because garbage collection is in progress.  */
-         if (dh->usable && ((char *) dh + dh->allocsize
-                            <= (char *) mapped->head + mapped->mapsize))
+         if (dh->usable && here->packet + dh->allocsize <= datasize)
            return dh;
        }