- fix potential access of freed mem in ndb's glue code [bnc#1179416]

OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=565
2021-01-05 15:40:08 +00:00 · 2021-01-05 15:40:08 +00:00 · 866e482bc6
commit 866e482bc6
parent 30e44e5b0f
4 changed files with 22 additions and 126 deletions
--- a/ndbglue.diff
+++ b/ndbglue.diff
@ -1,135 +1,31 @@
--- ./lib/backend/ndb/glue.c.orig
-+++ ./lib/backend/ndb/glue.c
-@@ -19,6 +19,8 @@ struct dbiCursor_s {
-     const void *key;
-     unsigned int keylen;
-     unsigned int hdrNum;
-+    void *data;
-+    unsigned int datalen;
-     int flags;
+--- ./lib/backend/ndb/glue.c.orig	2021-01-05 15:36:03.097744355 +0000
+++ ./lib/backend/ndb/glue.c	2021-01-05 15:36:35.353659287 +0000
+@@ -316,7 +316,7 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi,
 
-     unsigned int *list;
-@@ -33,7 +35,7 @@ struct ndbEnv_s {
-     int refs;
-     int dofsync;
- 
-    unsigned int hdrNum;
-+    unsigned int hdrNum;		/* free for adoption */
-     void *data;
-     unsigned int datalen;
- };
-@@ -278,6 +280,40 @@ static int ndb_Ctrl(rpmdb rdb, dbCtrlOp ctrl)
-     return 0;
- }
- 
-+static void setenvdata(struct ndbEnv_s *ndbenv, unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen)
-+{
-+    if (ndbenv->data)
-+	free(ndbenv->data);
-+    ndbenv->hdrNum = hdrNum;
-+    ndbenv->data = hdrBlob;
-+    ndbenv->datalen = hdrLen;
-+}
-+
-+static void setdata(dbiCursor dbc, unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen)
-+{
-+    struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv;
-+    if (ndbenv->data)
-+	setenvdata(ndbenv, 0, 0, 0);		/* clear dbenv cache */
-+    if (dbc->data)
-+	free(dbc->data);
-+    dbc->hdrNum = hdrNum;
-+    dbc->data = hdrBlob;
-+    dbc->datalen = hdrLen;
-+}
-+
-+static void adoptdata(dbiCursor dbc)
-+{
-+    struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv;
-+    if (dbc->data)
-+	free(dbc->data);
-+    dbc->hdrNum = ndbenv->hdrNum;
-+    dbc->data = ndbenv->data;
-+    dbc->datalen = ndbenv->datalen;
-+    ndbenv->hdrNum = 0;
-+    ndbenv->data = 0;
-+    ndbenv->datalen = 0;
-+}
-+
- static dbiCursor ndb_CursorInit(dbiIndex dbi, unsigned int flags)
- {
-     dbiCursor dbc = xcalloc(1, sizeof(*dbc));
-@@ -293,21 +329,17 @@ static dbiCursor ndb_CursorFree(dbiIndex dbi, dbiCursor dbc)
- 	    free(dbc->list);
- 	if (dbc->listdata)
- 	    free(dbc->listdata);
-+	if (dbc->data) {
-+	    /* release data into dbenv so that the next cursor can adopt it */
-+	    struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv;
-+	    setenvdata(ndbenv, dbc->hdrNum, dbc->data, dbc->datalen);
-+	}
- 	free(dbc);
+     if (hnum == 0) {
+ 	rc = rpmpkgNextPkgIdx(dbc->dbi->dbi_db, &hnum);
+-	if (!rc)
+	if (!rc && ndbenv->hdrNum == hnum)
+ 	    setdata(dbc, hnum, 0, 0);
     }
-     return NULL;
- }
 
- 
-static void setdata(dbiCursor dbc,  unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen)
-{
-    struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv;
-    if (ndbenv->data)
-	free(ndbenv->data);
-    ndbenv->hdrNum  = hdrNum;
-    ndbenv->data    = hdrBlob;
-    ndbenv->datalen = hdrLen;
-}
- 
- static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc,  unsigned int *hdrNum, unsigned char *hdrBlob, unsigned int hdrLen)
- {
-@@ -324,7 +356,6 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc,  unsigned int *hdrNum, un
- 	rc = rpmpkgPut(dbc->dbi->dbi_db, hnum, hdrBlob, hdrLen);
+@@ -325,7 +325,8 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi,
 
     if (!rc) {
-	dbc->hdrNum = hnum;
- 	setdata(dbc, hnum, 0, 0);
+ 	dbc->hdrNum = hnum;
+-	setdata(dbc, hnum, 0, 0);
+	if (ndbenv->hdrNum == hnum)
+	    setdata(dbc, hnum, 0, 0);
 	*hdrNum = hnum;
     }
-@@ -333,7 +364,6 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc,  unsigned int *hdrNum, un
- 
+     return rc;
+@@ -334,7 +335,8 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi,
 static rpmRC ndb_pkgdbDel(dbiIndex dbi, dbiCursor dbc,  unsigned int hdrNum)
 {
-    dbc->hdrNum = 0;
-     setdata(dbc, 0, 0, 0);
+     dbc->hdrNum = 0;
+-    setdata(dbc, 0, 0, 0);
+    if (ndbenv->hdrNum == hnum)
+	setdata(dbc, 0, 0, 0);
     return rpmpkgDel(dbc->dbi->dbi_db, hdrNum);
 }
-@@ -362,7 +392,6 @@ static rpmRC ndb_pkgdbIter(dbiIndex dbi, dbiCursor dbc, unsigned char **hdrBlob,
- 	    break;
- 	dbc->ilist++;
- 	if (!rc) {
-	    dbc->hdrNum = hdrNum;
- 	    setdata(dbc, hdrNum, *hdrBlob, *hdrLen);
- 	    break;
- 	}
-@@ -377,16 +406,16 @@ static rpmRC ndb_pkgdbGet(dbiIndex dbi, dbiCursor dbc, unsigned int hdrNum, unsi
- 
-     if (!hdrNum)
- 	return ndb_pkgdbIter(dbi, dbc, hdrBlob, hdrLen);
-    if (hdrNum == ndbenv->hdrNum && ndbenv->data) {
-	*hdrBlob = ndbenv->data;
-	*hdrLen = ndbenv->datalen;
-+    if (!dbc->data && ndbenv->data)
-+	adoptdata(dbc);
-+    if (dbc->data && hdrNum == dbc->hdrNum) {
-+	*hdrBlob = dbc->data;
-+	*hdrLen = dbc->datalen;
- 	return RPMRC_OK;
-     }
-     rc = rpmpkgGet(dbc->dbi->dbi_db, hdrNum, hdrBlob, hdrLen);
-    if (!rc) {
-	dbc->hdrNum = hdrNum;
-+    if (!rc)
- 	setdata(dbc, hdrNum, *hdrBlob, *hdrLen);
-    }
-     return rc;
- }
 
--- a/python-rpm.spec
+++ b/python-rpm.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-rpm
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2017 Neal Gompa <ngompa13@gmail.com>.
 #
 # All modifications and additions to the file contributed by third parties
--- a/rpm.changes
+++ b/rpm.changes
@ -1,7 +1,7 @@
 -------------------------------------------------------------------
 Mon Dec 21 16:29:40 CET 2020 - mls@suse.de

- rework header data handling in ndb's glue code [bnc#1179416]
+- fix potential access of freed mem in ndb's glue code [bnc#1179416]
  * new patch: ndbglue.diff

 -------------------------------------------------------------------
--- a/rpm.spec
+++ b/rpm.spec
@ -1,7 +1,7 @@
 #
 # spec file for package rpm
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed