nscd_getpw_r in libc6 crashes due to invalid free()
Bug #327705 reported by
gcc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Medium
|
|||
glibc (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
There is a bug in libc6 in Dapper Drake (2.3.6) which causes applications that use nscd to crash eventually. A simple test is that this command crashes eventually:
perl -e 'while (1){getpwnam(
often with a glibc error about an invalid free(), or aborts for another reason. The bug was reported in redhat:
https:/
and fixed upstream:
http://
Please apply the patch to Dapper Drake.
Changed in glibc: | |
status: | Unknown → Fix Released |
Changed in glibc: | |
importance: | Unknown → Medium |
To post a comment you must log in.
nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.
This can be seen by simple code inspection in nscd/nscd_ getpw_r. c. getpw_r. c:
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_
86:nscd_getpw_r (...) drop_map_ ref (mapped, &gc_cycle) != 0 && retval != -1)
96: retry:;
142: resultbuf->pw_uid = pw_resp->pw_uid;
203: if (__nscd_
230: free (resultbuf);
232: goto retry;
The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap.
This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.
Suggested fix: remove free(resultbuf) (line 230).