This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] [BZ 17460] "nscd --help" crashes with segmentation fault on 32-bit machine
- From: Mikel Rychliski <mikel at mikelr dot com>
- To: libc-alpha at sourceware dot org
- Date: Mon, 06 Oct 2014 16:13:57 -0400
- Subject: [PATCH] [BZ 17460] "nscd --help" crashes with segmentation fault on 32-bit machine
- Authentication-results: sourceware.org; auth=none
Printing the nscd help message with "nscd --help" fails part way through
the message with a
segmentation fault. Reproducible on a 32-bit architecture.
There is a buffer overflow when printing the supported tables.
The memory allocated to hold the concatenated string is allocated with a
size of the pointer array.
This allocation is of insufficient length to hold the strings themselves.
Thanks,
Mikel Rychliski
diff --git a/ChangeLog b/ChangeLog
index e127a08..24ea7c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-10-06 Mikel Rychliski <mikel@mikelr.com>
+
+ [BZ #17460]
+ * nscd/nscd.c: Fix crash on usage() output.
+
2014-10-02 Chris Metcalf <cmetcalf@tilera.com>
* sysdeps/unix/sysv/linux/tile/sysdep.h (INLINE_VSYSCALL): Define
diff --git a/nscd/nscd.c b/nscd/nscd.c
index 7131ead..4a03d16 100644
--- a/nscd/nscd.c
+++ b/nscd/nscd.c
@@ -458,13 +458,25 @@ more_help (int key, const char *text, void *input)
case ARGP_KEY_HELP_EXTRA:
{
dbtype cnt;
+ size_t allocated = 40;
+ char *wp = xmalloc (allocated);
- tables = xmalloc (sizeof (dbnames) + 1);
+ tables = wp;
for (cnt = 0; cnt < lastdb; cnt++)
{
- strcat (tables, dbnames[cnt]);
- strcat (tables, " ");
+ size_t len = strlen (dbnames[cnt]);
+ if (wp + len + 2 > tables + allocated)
+ {
+ char *newp;
+ allocated = (allocated + len) * 2;
+ newp = xrealloc (tables, allocated);
+ wp = newp + (wp - tables);
+ tables = newp;
+ }
+ wp = mempcpy (wp, dbnames[cnt], len);
+ wp = mempcpy (wp, " ", 1);
}
+ *wp++ = '\0';
}
/* We print some extra information. */