00db10
commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
00db10
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
00db10
Date:   Wed Oct 30 16:13:37 2013 +0530
00db10
00db10
    Fix reads for sizes larger than INT_MAX in AF_INET lookup
00db10
    
00db10
    Currently for AF_INET lookups from the hosts file, buffer sizes larger
00db10
    than INT_MAX silently overflow and may result in access beyond bounds
00db10
    of a buffer.  This happens when the number of results in an AF_INET
00db10
    lookup in /etc/hosts are very large.
00db10
    
00db10
    There are two aspects to the problem.  One problem is that the size
00db10
    computed from the buffer size is stored into an int, which results in
00db10
    overflow for large sizes.  Additionally, even if this size was
00db10
    expanded, the function used to read content into the buffer (fgets)
00db10
    accepts only int sizes.  As a result, the fix is to have a function
00db10
    wrap around fgets that calls it multiple times with int sizes if
00db10
    necessary.
00db10
00db10
(The previous commit fixes upstream bug 16071.)
00db10
00db10
commit ac60763eac3d43b7234dd21286ad3ec3f17957fc
00db10
Author: Andreas Schwab <schwab@suse.de>
00db10
Date:   Mon Jun 23 10:24:45 2014 +0200
00db10
00db10
    Don't ignore too long lines in nss_files (BZ #17079)
00db10
00db10
commit e07aabba73ea62e7dfa0512507c92efb851fbdbe
00db10
Author: Florian Weimer <fweimer@redhat.com>
00db10
Date:   Tue Sep 22 13:20:18 2015 +0200
00db10
00db10
    Add test case for bug 18287
00db10
00db10
commit 90fa42a1d7b78de0d75f7e3af362275b2abe807f
00db10
Author: Florian Weimer <fweimer@redhat.com>
00db10
Date:   Tue Sep 22 13:40:17 2015 +0200
00db10
00db10
    Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079
00db10
00db10
diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
00db10
--- b/nss/nss_files/files-XXX.c
00db10
+++ b/nss/nss_files/files-XXX.c
00db10
@@ -179,8 +179,53 @@
00db10
   return NSS_STATUS_SUCCESS;
00db10
 }
00db10
 
00db10
-/* Parsing the database file into `struct STRUCTURE' data structures.  */
00db10
 
00db10
+typedef enum
00db10
+{
00db10
+  gcr_ok = 0,
00db10
+  gcr_error = -1,
00db10
+  gcr_overflow = -2
00db10
+} get_contents_ret;
00db10
+
00db10
+/* Hack around the fact that fgets only accepts int sizes.  */
00db10
+static get_contents_ret
00db10
+get_contents (char *linebuf, size_t len, FILE *stream)
00db10
+{
00db10
+  size_t remaining_len = len;
00db10
+  char *curbuf = linebuf;
00db10
+
00db10
+  do
00db10
+    {
00db10
+      int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
00db10
+		    : remaining_len);
00db10
+
00db10
+      /* Terminate the line so that we can test for overflow.  */
00db10
+      ((unsigned char *) curbuf)[curlen - 1] = 0xff;
00db10
+
00db10
+      char *p = fgets_unlocked (curbuf, curlen, stream);
00db10
+
00db10
+      /* EOF or read error.  */
00db10
+      if (p == NULL)
00db10
+        return gcr_error;
00db10
+
00db10
+      /* Done reading in the line.  */
00db10
+      if (((unsigned char *) curbuf)[curlen - 1] == 0xff)
00db10
+        return gcr_ok;
00db10
+
00db10
+      /* Drop the terminating '\0'.  */
00db10
+      remaining_len -= curlen - 1;
00db10
+      curbuf += curlen - 1;
00db10
+    }
00db10
+  /* fgets copies one less than the input length.  Our last iteration is of
00db10
+     REMAINING_LEN and once that is done, REMAINING_LEN is decremented by
00db10
+     REMAINING_LEN - 1, leaving the result as 1.  */
00db10
+  while (remaining_len > 1);
00db10
+
00db10
+  /* This means that the current buffer was not large enough.  */
00db10
+  return gcr_overflow;
00db10
+}
00db10
+
00db10
+/* Parsing the database file into `struct STRUCTURE' data structures.  */
00db10
 static enum nss_status
00db10
 internal_getent (struct STRUCTURE *result,
00db10
 		 char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
00db10
@@ -188,7 +233,7 @@
00db10
 {
00db10
   char *p;
00db10
   struct parser_data *data = (void *) buffer;
00db10
-  int linebuflen = buffer + buflen - data->linebuffer;
00db10
+  size_t linebuflen = buffer + buflen - data->linebuffer;
00db10
   int parse_result;
00db10
 
00db10
   if (buflen < sizeof *data + 2)
00db10
@@ -200,17 +245,16 @@
00db10
 
00db10
   do
00db10
     {
00db10
-      /* Terminate the line so that we can test for overflow.  */
00db10
-      ((unsigned char *) data->linebuffer)[linebuflen - 1] = '\xff';
00db10
+      get_contents_ret r = get_contents (data->linebuffer, linebuflen, stream);
00db10
 
00db10
-      p = fgets_unlocked (data->linebuffer, linebuflen, stream);
00db10
-      if (p == NULL)
00db10
+      if (r == gcr_error)
00db10
 	{
00db10
 	  /* End of file or read error.  */
00db10
 	  H_ERRNO_SET (HOST_NOT_FOUND);
00db10
 	  return NSS_STATUS_NOTFOUND;
00db10
 	}
00db10
-      else if (((unsigned char *) data->linebuffer)[linebuflen - 1] != 0xff)
00db10
+
00db10
+      if (r == gcr_overflow)
00db10
 	{
00db10
 	  /* The line is too long.  Give the user the opportunity to
00db10
 	     enlarge the buffer.  */
00db10
@@ -219,7 +263,8 @@
00db10
 	  return NSS_STATUS_TRYAGAIN;
00db10
 	}
00db10
 
00db10
-      /* Skip leading blanks.  */
00db10
+      /* Everything OK.  Now skip leading blanks.  */
00db10
+      p = data->linebuffer;
00db10
       while (isspace (*p))
00db10
 	++p;
00db10
     }
00db10
00db10
diff a/nss/bug17079.c b/nss/bug17079.c
00db10
--- /dev/null
00db10
+++ b/nss/bug17079.c
00db10
@@ -0,0 +1,236 @@
00db10
+/* Test for bug 17079: heap overflow in NSS with small buffers.
00db10
+   Copyright (C) 2015 Free Software Foundation, Inc.
00db10
+   This file is part of the GNU C Library.
00db10
+
00db10
+   The GNU C Library is free software; you can redistribute it and/or
00db10
+   modify it under the terms of the GNU Lesser General Public
00db10
+   License as published by the Free Software Foundation; either
00db10
+   version 2.1 of the License, or (at your option) any later version.
00db10
+
00db10
+   The GNU C Library is distributed in the hope that it will be useful,
00db10
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
00db10
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00db10
+   Lesser General Public License for more details.
00db10
+
00db10
+   You should have received a copy of the GNU Lesser General Public
00db10
+   License along with the GNU C Library; if not, see
00db10
+   <http://www.gnu.org/licenses/>.  */
00db10
+
00db10
+#include <errno.h>
00db10
+#include <pwd.h>
00db10
+#include <stdbool.h>
00db10
+#include <stdio.h>
00db10
+#include <stdlib.h>
00db10
+#include <string.h>
00db10
+
00db10
+/* Check if two passwd structs contain the same data.  */
00db10
+static bool
00db10
+equal (const struct passwd *a, const struct passwd *b)
00db10
+{
00db10
+  return strcmp (a->pw_name, b->pw_name) == 0
00db10
+    && strcmp (a->pw_passwd, b->pw_passwd) == 0
00db10
+    && a->pw_uid == b->pw_uid
00db10
+    && a->pw_gid == b->pw_gid
00db10
+    && strcmp (a->pw_gecos, b->pw_gecos) == 0
00db10
+    && strcmp (a->pw_dir, b->pw_dir) == 0
00db10
+    && strcmp (a->pw_shell, b->pw_shell) == 0;
00db10
+}
00db10
+
00db10
+enum { MAX_TEST_ITEMS = 10 };
00db10
+static struct passwd test_items[MAX_TEST_ITEMS];
00db10
+static int test_count;
00db10
+
00db10
+/* Initialize test_items and test_count above, with data from the
00db10
+   passwd database.  */
00db10
+static bool
00db10
+init_test_items (void)
00db10
+{
00db10
+  setpwent ();
00db10
+  do
00db10
+    {
00db10
+      struct passwd *pwd = getpwent ();
00db10
+      if (pwd == NULL)
00db10
+        break;
00db10
+      struct passwd *target = test_items + test_count;
00db10
+      target->pw_name = strdup (pwd->pw_name);
00db10
+      target->pw_passwd = strdup (pwd->pw_passwd);
00db10
+      target->pw_uid = pwd->pw_uid;
00db10
+      target->pw_gid = pwd->pw_gid;
00db10
+      target->pw_gecos = strdup (pwd->pw_gecos);
00db10
+      target->pw_dir = strdup (pwd->pw_dir);
00db10
+      target->pw_shell = strdup (pwd->pw_shell);
00db10
+    }
00db10
+  while (++test_count < MAX_TEST_ITEMS);
00db10
+  endpwent ();
00db10
+
00db10
+  /* Filter out those test items which cannot be looked up by name or
00db10
+     UID.  */
00db10
+  bool found = false;
00db10
+  for (int i = 0; i < test_count; ++i)
00db10
+    {
00db10
+      struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
00db10
+      struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
00db10
+      if (pwd1 == NULL || !equal (pwd1, test_items + i)
00db10
+          || pwd2 == NULL || !equal (pwd2, test_items + i))
00db10
+        test_items[i].pw_name = NULL;
00db10
+      else
00db10
+        found = true;
00db10
+    }
00db10
+
00db10
+  if (!found)
00db10
+    puts ("error: no accounts found which can be looked up by name and UID.");
00db10
+  return found;
00db10
+}
00db10
+
00db10
+/* Set to true if an error is encountered.  */
00db10
+static bool errors;
00db10
+
00db10
+/* Return true if the padding has not been tampered with.  */
00db10
+static bool
00db10
+check_padding (char *buffer, size_t size, char pad)
00db10
+{
00db10
+  char *end = buffer + size;
00db10
+  while (buffer < end)
00db10
+    {
00db10
+      if (*buffer != pad)
00db10
+        return false;
00db10
+      ++buffer;
00db10
+    }
00db10
+  return true;
00db10
+}
00db10
+
00db10
+/* Test one buffer size and padding combination.  */
00db10
+static void
00db10
+test_one (const struct passwd *item, size_t buffer_size,
00db10
+           char pad, size_t padding_size)
00db10
+{
00db10
+  char *buffer = malloc (buffer_size + padding_size);
00db10
+  if (buffer == NULL)
00db10
+    {
00db10
+      puts ("error: malloc failure");
00db10
+      errors = true;
00db10
+      return;
00db10
+    }
00db10
+
00db10
+  struct passwd pwd;
00db10
+  struct passwd *result;
00db10
+  int ret;
00db10
+
00db10
+  /* Test getpwname_r.  */
00db10
+  memset (buffer, pad, buffer_size + padding_size);
00db10
+  pwd = (struct passwd) {};
00db10
+  ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
00db10
+  if (!check_padding (buffer + buffer_size, padding_size, pad))
00db10
+    {
00db10
+      printf ("error: padding change: "
00db10
+              "name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
00db10
+              item->pw_name, buffer_size, padding_size, (unsigned char) pad);
00db10
+      errors = true;
00db10
+    }
00db10
+  if (ret == 0)
00db10
+    {
00db10
+      if (result == NULL)
00db10
+        {
00db10
+          printf ("error: no data: name \"%s\", buffer size %zu\n",
00db10
+                  item->pw_name, buffer_size);
00db10
+          errors = true;
00db10
+        }
00db10
+      else if (!equal (item, result))
00db10
+        {
00db10
+          printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
00db10
+                  item->pw_name, buffer_size);
00db10
+          errors = true;
00db10
+        }
00db10
+    }
00db10
+  else if (ret != ERANGE)
00db10
+    {
00db10
+      errno = ret;
00db10
+      printf ("error: lookup failure for name \"%s\": %m (%d)\n",
00db10
+              item->pw_name, ret);
00db10
+      errors = true;
00db10
+    }
00db10
+
00db10
+  /* Test getpwuid_r.  */
00db10
+  memset (buffer, pad, buffer_size + padding_size);
00db10
+  pwd = (struct passwd) {};
00db10
+  ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
00db10
+  if (!check_padding (buffer + buffer_size, padding_size, pad))
00db10
+    {
00db10
+      printf ("error: padding change: "
00db10
+              "UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
00db10
+              (long) item->pw_uid, buffer_size, padding_size,
00db10
+              (unsigned char) pad);
00db10
+      errors = true;
00db10
+    }
00db10
+  if (ret == 0)
00db10
+    {
00db10
+      if (result == NULL)
00db10
+        {
00db10
+          printf ("error: no data: UID %ld, buffer size %zu\n",
00db10
+                  (long) item->pw_uid, buffer_size);
00db10
+          errors = true;
00db10
+        }
00db10
+      else if (!equal (item, result))
00db10
+        {
00db10
+          printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
00db10
+                  (long) item->pw_uid, buffer_size);
00db10
+          errors = true;
00db10
+        }
00db10
+    }
00db10
+  else if (ret != ERANGE)
00db10
+    {
00db10
+      errno = ret;
00db10
+      printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
00db10
+              (long) item->pw_uid, ret);
00db10
+      errors = true;
00db10
+    }
00db10
+
00db10
+  free (buffer);
00db10
+}
00db10
+
00db10
+/* Test one buffer size with different paddings.  */
00db10
+static void
00db10
+test_buffer_size (size_t buffer_size)
00db10
+{
00db10
+  for (int i = 0; i < test_count; ++i)
00db10
+    for (size_t padding_size = 0; padding_size < 3; ++padding_size)
00db10
+      {
00db10
+        test_one (test_items + i, buffer_size, '\0', padding_size);
00db10
+        if (padding_size > 0)
00db10
+          {
00db10
+            test_one (test_items + i, buffer_size, ':', padding_size);
00db10
+            test_one (test_items + i, buffer_size, '\n', padding_size);
00db10
+            test_one (test_items + i, buffer_size, '\xff', padding_size);
00db10
+            test_one (test_items + i, buffer_size, '@', padding_size);
00db10
+          }
00db10
+      }
00db10
+}
00db10
+
00db10
+int
00db10
+do_test (void)
00db10
+{
00db10
+  if (!init_test_items ())
00db10
+    return 1;
00db10
+  printf ("info: %d test items\n", test_count);
00db10
+
00db10
+  for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
00db10
+    test_buffer_size (buffer_size);
00db10
+  for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
00db10
+    test_buffer_size (buffer_size);
00db10
+  test_buffer_size (255);
00db10
+  test_buffer_size (257);
00db10
+  for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
00db10
+    test_buffer_size (buffer_size);
00db10
+  test_buffer_size (511);
00db10
+  test_buffer_size (513);
00db10
+  test_buffer_size (1024);
00db10
+  test_buffer_size (2048);
00db10
+
00db10
+  if (errors)
00db10
+    return 1;
00db10
+  else
00db10
+    return 0;
00db10
+}
00db10
+
00db10
+#define TEST_FUNCTION do_test ()
00db10
+#include "../test-skeleton.c"
00db10
diff a/nss/Makefile b/nss/Makefile
00db10
--- a/nss/Makefile
00db10
+++ b/nss/Makefile
00db10
@@ -39,6 +39,6 @@
00db10
 extra-objs		+= $(makedb-modules:=.o)
00db10
 
00db10
-tests			= test-netdb tst-nss-test1
00db10
+tests			= test-netdb tst-nss-test1 bug17079
00db10
 xtests			= bug-erange
00db10
 
00db10
 include ../Makeconfig