Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 3762 - nscd receives SIGSEGV for certain domain lookups
Summary: nscd receives SIGSEGV for certain domain lookups
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 6.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-06-27 20:37 UTC by James Ralston
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-07-28 05:34:59 UTC

Attachments (Terms of Use)

Description James Ralston 1999-06-27 20:37:29 UTC
[Note: this report is *not* really about bind, but the
Bugzilla system forced me to choose a component, and nscd
wasn't on the list.]

For the nscd-2.1.1-6 rpm, certain domain lookups
consistently crash the nscd daemon with SIGSEGV.

As of the time of this submission, a good demonstration of
this is to ensure nscd is running, and then point a web
browser at, which currently resolves as

$ host -a
rcode = 0 (Success), ancount=23
The following answer is not authoritative:    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A    530 IN  A
For authoritative answers, see:        37247 IN        NS        37247 IN        NS        37247 IN        NS
Additional information:      52407 IN        A

Here are my running nscd processes:

$ ps fax
 1099 ?        S      0:00 nscd
 1102 ?        S      0:00  \_ nscd
 1103 ?        S      0:00      \_ nscd
 1104 ?        S      0:00      \_ nscd
 1105 ?        S      0:00      \_ nscd
 1106 ?        S      0:00      \_ nscd
 1107 ?        S      0:00      \_ nscd

Now, use strace to watch the parent nscd process (1099, in
this example) as one points a web browser to

SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1
accept(0, 0, NULL)                      = ? ERESTARTSYS (To
be restarted)
--- SIGSEGV (Segmentation fault) ---

So far, this is the only domain I've encountered that
crashes nscd, but the fact that this looks a lot like a
buffer overflow problem gives me very queasy feelings about
running nscd.  I have not yet looked at the source, but if
this indeed is a buffer overflow problem, then it *might* be
possible for a clever person to stack-smash nscd (which
normally runs as root) and eventually gain root privileges.

BTW, I run nscd using the default /etc/nscd.conf that comes
with nscd-2.1.1-6; I have not made any modifications.

Comment 1 Jeff Johnson 1999-06-27 21:04:59 UTC
I'm changing the component to glibc because that's the name of the
src.rpm from which the nscd package comes ...

Comment 2 Jeff Johnson 1999-06-27 21:08:59 UTC
You might also look at #3171 which is also nscd related. There
is a fix for that problem that will be in the next glibc errata

Comment 3 James Ralston 1999-07-13 22:09:59 UTC
Ok, I will wait for the next glibc errata release to show up on, and test it out then.

Comment 4 James Ralston 1999-07-21 21:03:59 UTC
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide.
So far, so good; I haven't been able to get nscd to crash.  I'll
report back after a few days of regular use.

Comment 5 James Ralston 1999-07-27 19:26:59 UTC
I wasn't able to get nscd to crash even once with glibc-2.1.2-1.  As
far as I'm concerned, the problem is corrected; I'll wait for
glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on
my production machines.

Comment 6 Cristian Gafton 1999-07-28 05:34:59 UTC
Fixed in glibc-2.1.2-1 and later, available from rawhide.

Note You need to log in before you can comment on or make changes to this bug.