We have a segfault case that can be prevented by the attached patch. It does not address the actual source of the problem but it seem to be a reasonable compromise to plug this whole while we try to determine the cause.
Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 61bcad91e86b5cb38e7fff24049ded31d92aff99 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Wed, 19 Dec 2012 11:56:27 -0500 Subject: [PATCH] nss_mc: Add extra checks when dereferencing records Although it should enver happen that we pass in an invalid hash it is always better to just not do anything than access memory ouf of the hash table. It can lead to segfaults, or worse referencing memory that should not be touched. --- src/responder/nss/nsssrv_mmap_cache.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c index aad752b33649c0a91ab48c83943edc39e0145f15..a13c35a9aeac3665b53934efe501d268e3d3d60e 100644 --- a/src/responder/nss/nsssrv_mmap_cache.c +++ b/src/responder/nss/nsssrv_mmap_cache.c @@ -106,6 +106,12 @@ static void sss_mc_add_rec_to_chain(struct sss_mc_ctx *mcc, struct sss_mc_rec *cur; uint32_t slot; + if (hash > mcc->ht_size) { + /* Invalid hash. This should never happen, but better + * return than trying to access out of bounds memory */ + return; + } + slot = mcc->hash_table[hash]; if (slot == MC_INVALID_VAL) { /* no previous record/collision, just add to hash table */ @@ -136,6 +142,12 @@ static void sss_mc_rm_rec_from_chain(struct sss_mc_ctx *mcc, struct sss_mc_rec *cur = NULL; uint32_t slot; + if (hash > mcc->ht_size) { + /* Invalid hash. This should never happen, but better + * return than trying to access out of bounds memory */ + return; + } + slot = mcc->hash_table[hash]; cur = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); if (cur == rec) { -- 1.8.0.1
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
