209538 – use-after-free bug in nscd cache_read() - Coverity CID 1006083

Bug 209538 - use-after-free bug in nscd cache_read() - Coverity CID 1006083

Summary: use-after-free bug in nscd cache_read() - Coverity CID 1006083

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-05-16 05:05 UTC by Don Lewis
Modified:	2018-10-05 17:24 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
patch to fix use-after-free error in nscd (328 bytes, patch) 2016-05-16 05:05 UTC, Don Lewis	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Don Lewis freebsd_committer

2016-05-16 05:05:47 UTC

Created attachment 170339 [details]
patch to fix use-after-free error in nscd

Coverity flagged a use-after-free error in the nscd cache_read function.  It noticed that find_res->value is getting freed before it gets passed to memcpy().  It looks like the problem is a missing return (-1) inside the

    if (find_res->fifo_policy_item->last_request_time.tv_sec -
        find_res->fifo_policy_item->creation_time.tv_sec
        common_entry->common_params.max_lifetime.tv_sec) {

block.

Comment 1 Edward Tomasz Napierala freebsd_committer

2018-10-05 09:47:37 UTC

Does nscd(8) still work correctly after you add the missing return?

Comment 2 Don Lewis freebsd_committer

2018-10-05 17:24:03 UTC

I don't use nscd ...