[PATCH] Fix SEGV in nscd with only one remaining file descriptor

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Fix SEGV in nscd with only one remaining file descriptor

Guillaume Chazarain
Hi,

Running programs with only one free file descriptor, like:

ulimit -n 4
ls -l /

produces a SEGV in the nscd client code:

Core was generated by `ls -l /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000032c9efe781 in get_mapping (type=<value optimized out>,
     key=0x32c9f18b15 "passwd", mappedp=0x32ca14c888) at nscd_helper.c:245
245       if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
(gdb) p msg
$1 = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0x7fff3990a460,
   msg_iovlen = 1, msg_control = 0x7fff3990a440, msg_controllen = 0,
   msg_flags = 8}

msg_controllen is 0 so (CMSG_FIRSTHDR (&msg) is NULL.

The attached patch fixes this bug by checking CMSG_FIRSTHDR (&msg).

Thanks.

--
Guillaume

--- glibc-2.6-orig/nscd/nscd_helper.c
+++ glibc-2.6/nscd/nscd_helper.c
@@ -271,6 +271,9 @@ get_mapping (request_type type, const ch
 
   mapfd = *(int *) CMSG_DATA (cmsg);
 
+  if (__builtin_expect (!CMSG_FIRSTHDR (&msg), 0))
+    goto out_close;
+
   if (__builtin_expect (CMSG_FIRSTHDR (&msg)->cmsg_len
  != CMSG_LEN (sizeof (int)), 0))
     goto out_close;
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix SEGV in nscd with only one remaining file descriptor

Ulrich Drepper
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guillaume Chazarain wrote:
> The attached patch fixes this bug by checking CMSG_FIRSTHDR (&msg).

Almost correct.  You tried to close a non-existing file descriptor,
though.  I checked in a patch.  Next time consider filing a bug in
bugzilla so that there is no danger of the report getting lost.

- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGXDzw2ijCOnn/RHQRAvUQAJ9sBW2Sn3hgKWka0Vz+pKdTbsnxAQCgg/Rt
hmkT4wDnkpDt5Rb5WW1p3VI=
=LoPq
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix SEGV in nscd with only one remaining file descriptor

Guillaume Chazarain
Ulrich Drepper a écrit :
> You tried to close a non-existing file descriptor,
> though.

As did the original code, that you just fixed with your patch ;-)

Thanks.

--
Guillaume
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix SEGV in nscd with only one remaining file descriptor

Ulrich Drepper
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guillaume Chazarain wrote:
> As did the original code, that you just fixed with your patch ;-)

Not quite.  The original code closed the descriptor if something got
transmitted.   So, it was overly cautious and was deliberate.  But
thinking more about it this caution wasn't needed.

- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGXECZ2ijCOnn/RHQRAkqqAJwN2dOQmlqARFZqRJpRaHVZ3FfnpwCcCqXb
LlyHy2NzJRTUrtxGjY//GO0=
=sh81
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix SEGV in nscd with only one remaining file descriptor

Guillaume Chazarain
Ulrich Drepper a écrit :

> Not quite.  The original code closed the descriptor if something got
> transmitted.   So, it was overly cautious and was deliberate.  But
> thinking more about it this caution wasn't needed.

OK, thank you for the clarification.

--
Guillaume