nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.
This can be seen by simple code inspection in nscd/nscd_getpw_r.c.
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_getpw_r.c:
The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap.
This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.
nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.
This can be seen by simple code inspection in nscd/nscd_ getpw_r. c. getpw_r. c:
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_
86:nscd_getpw_r (...) drop_map_ ref (mapped, &gc_cycle) != 0 && retval != -1)
96: retry:;
142: resultbuf->pw_uid = pw_resp->pw_uid;
203: if (__nscd_
230: free (resultbuf);
232: goto retry;
The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap.
This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.
Suggested fix: remove free(resultbuf) (line 230).