From 50fd745b4dec07e8e213cf2703b5cabcfa128225 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Mon, 10 Jun 2013 14:39:09 +0200
Subject: [PATCH] Fix handling of netgroup cache in nscd

---
 ChangeLog            |  9 +++++++++
 NEWS                 |  2 +-
 nscd/connections.c   |  3 ++-
 nscd/netgroupcache.c | 32 ++++++++++++++++++++------------
 nscd/nscd_netgroup.c |  2 +-
 5 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6444a89034..0afbce712c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-06-11  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #15577]
+	* nscd/connections.c (nscd_run_worker): Always zero-terminate key.
+	* nscd/netgroupcache.c (addgetnetgrentX): Properly handle absent
+	values in the triple.
+	* nscd/nscd_netgroup.c (__nscd_setnetgrent): Include zero
+	terminator in the group key.
+
 2013-06-11  Andreas Jaeger  <aj@suse.de>
 
 	* po/zh_TW.po: Update Chinese (traditional) translation from
diff --git a/NEWS b/NEWS
index 99c0c9491d..fe8d5b3926 100644
--- a/NEWS
+++ b/NEWS
@@ -19,7 +19,7 @@ Version 2.18
   15336, 15337, 15339, 15342, 15346, 15359, 15361, 15366, 15380, 15381,
   15394, 15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424,
   15426, 15429, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490,
-  15493, 15497, 15506, 15529, 15536, 15553, 15583.
+  15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).
diff --git a/nscd/connections.c b/nscd/connections.c
index 7099215916..69e3e7dc08 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -1779,7 +1779,7 @@ nscd_run_worker (void *p)
       else
 	{
 	  /* Get the key.  */
-	  char keybuf[MAXKEYLEN];
+	  char keybuf[MAXKEYLEN + 1];
 
 	  if (__builtin_expect (TEMP_FAILURE_RETRY (read (fd, keybuf,
 							  req.key_len))
@@ -1791,6 +1791,7 @@ nscd_run_worker (void *p)
 			 strerror_r (errno, buf, sizeof (buf)));
 	      goto close_and_out;
 	    }
+	  keybuf[req.key_len] = '\0';
 
 	  if (__builtin_expect (debug_level, 0) > 0)
 	    {
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index 2d6c5aa459..dd06ce4fae 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -192,18 +192,26 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 			    const char *nuser = data.val.triple.user;
 			    const char *ndomain = data.val.triple.domain;
 
-			    if (data.val.triple.host > data.val.triple.user
-				|| data.val.triple.user > data.val.triple.domain)
+			    if (nhost == NULL || nuser == NULL || ndomain == NULL
+				|| nhost > nuser || nuser > ndomain)
 			      {
-				const char *last = MAX (nhost,
-							MAX (nuser, ndomain));
-				size_t bufused = (last + strlen (last) + 1
-						  - buffer);
+				const char *last = nhost;
+				if (last == NULL
+				    || (nuser != NULL && nuser > last))
+				  last = nuser;
+				if (last == NULL
+				    || (ndomain != NULL && ndomain > last))
+				  last = ndomain;
+
+				size_t bufused
+				  = (last == NULL
+				     ? buffilled
+				     : last + strlen (last) + 1 - buffer);
 
 				/* We have to make temporary copies.  */
-				size_t hostlen = strlen (nhost) + 1;
-				size_t userlen = strlen (nuser) + 1;
-				size_t domainlen = strlen (ndomain) + 1;
+				size_t hostlen = strlen (nhost ?: "") + 1;
+				size_t userlen = strlen (nuser ?: "") + 1;
+				size_t domainlen = strlen (ndomain ?: "") + 1;
 				size_t needed = hostlen + userlen + domainlen;
 
 				if (buflen - req->key_len - bufused < needed)
@@ -226,11 +234,11 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 				  }
 
 				nhost = memcpy (buffer + bufused,
-						nhost, hostlen);
+						nhost ?: "", hostlen);
 				nuser = memcpy ((char *) nhost + hostlen,
-						nuser, userlen);
+						nuser ?: "", userlen);
 				ndomain = memcpy ((char *) nuser + userlen,
-						  ndomain, domainlen);
+						  ndomain ?: "", domainlen);
 			      }
 
 			    char *wp = buffer + buffilled;
diff --git a/nscd/nscd_netgroup.c b/nscd/nscd_netgroup.c
index cac4ebfcd3..acb2c81457 100644
--- a/nscd/nscd_netgroup.c
+++ b/nscd/nscd_netgroup.c
@@ -48,7 +48,7 @@ __nscd_setnetgrent (const char *group, struct __netgrent *datap)
 {
   int gc_cycle;
   int nretries = 0;
-  size_t group_len = strlen (group);
+  size_t group_len = strlen (group) + 1;
 
   /* If the mapping is available, try to search there instead of
      communicating with the nscd.  */
-- 
2.11.4.GIT