A stack-based buffer overflow in nscd was reported and assigned CVE-2024-33599.

Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=31677

---

nscd/netgroupcache.c (addinnetgrX):

497   struct indataset
498   {
499     struct datahead head;
500     innetgroup_response_header resp;
501   } *dataset
502       = (struct indataset *) mempool_alloc (db,
503                                             sizeof (*dataset) + req->key_len,
504                                             1);

mempool_alloc fails and returns NULL.


This is possible if posix_fallocate fails and the retry fails.

505   struct indataset dataset_mem;
506   bool cacheable = true;
507   if (__glibc_unlikely (dataset == NULL))
508     {
509       cacheable = false;
510       dataset = &dataset_mem;

This structure has no room for req->key_len material.

511     }
512 
513   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
514                      sizeof (innetgroup_response_header),
515                      he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
516   /* Set the notfound status and timeout based on the result from
517      getnetgrent.  */
518   dataset->head.notfound = result->head.notfound;
519   dataset->head.timeout = timeout;
520 
521   dataset->resp.version = NSCD_VERSION;
522   dataset->resp.found = result->resp.found;
523   /* Until we find a matching entry the result is 0.  */
524   dataset->resp.result = 0;
525 
526   char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len);

This copies up to req->key_len material to a structure that has no storage space for it.

This was detected by static code analysis.

It will only happen in the case the database runs out of memory/storage while expanding the netgroup cache.

The group entries overwrite other data on the stack after dataset_mem.

The workaround is not to cache the netgroup if this is impacting the use of the application.