|
|
00db10 |
commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
|
|
|
00db10 |
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
00db10 |
Date: Wed Oct 30 16:13:37 2013 +0530
|
|
|
00db10 |
|
|
|
00db10 |
Fix reads for sizes larger than INT_MAX in AF_INET lookup
|
|
|
00db10 |
|
|
|
00db10 |
Currently for AF_INET lookups from the hosts file, buffer sizes larger
|
|
|
00db10 |
than INT_MAX silently overflow and may result in access beyond bounds
|
|
|
00db10 |
of a buffer. This happens when the number of results in an AF_INET
|
|
|
00db10 |
lookup in /etc/hosts are very large.
|
|
|
00db10 |
|
|
|
00db10 |
There are two aspects to the problem. One problem is that the size
|
|
|
00db10 |
computed from the buffer size is stored into an int, which results in
|
|
|
00db10 |
overflow for large sizes. Additionally, even if this size was
|
|
|
00db10 |
expanded, the function used to read content into the buffer (fgets)
|
|
|
00db10 |
accepts only int sizes. As a result, the fix is to have a function
|
|
|
00db10 |
wrap around fgets that calls it multiple times with int sizes if
|
|
|
00db10 |
necessary.
|
|
|
00db10 |
|
|
|
00db10 |
(The previous commit fixes upstream bug 16071.)
|
|
|
00db10 |
|
|
|
00db10 |
commit ac60763eac3d43b7234dd21286ad3ec3f17957fc
|
|
|
00db10 |
Author: Andreas Schwab <schwab@suse.de>
|
|
|
00db10 |
Date: Mon Jun 23 10:24:45 2014 +0200
|
|
|
00db10 |
|
|
|
00db10 |
Don't ignore too long lines in nss_files (BZ #17079)
|
|
|
00db10 |
|
|
|
00db10 |
commit e07aabba73ea62e7dfa0512507c92efb851fbdbe
|
|
|
00db10 |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
00db10 |
Date: Tue Sep 22 13:20:18 2015 +0200
|
|
|
00db10 |
|
|
|
00db10 |
Add test case for bug 18287
|
|
|
00db10 |
|
|
|
00db10 |
commit 90fa42a1d7b78de0d75f7e3af362275b2abe807f
|
|
|
00db10 |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
00db10 |
Date: Tue Sep 22 13:40:17 2015 +0200
|
|
|
00db10 |
|
|
|
00db10 |
Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079
|
|
|
00db10 |
|
|
|
00db10 |
diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
|
|
|
00db10 |
--- b/nss/nss_files/files-XXX.c
|
|
|
00db10 |
+++ b/nss/nss_files/files-XXX.c
|
|
|
00db10 |
@@ -179,8 +179,53 @@
|
|
|
00db10 |
return NSS_STATUS_SUCCESS;
|
|
|
00db10 |
}
|
|
|
00db10 |
|
|
|
00db10 |
-/* Parsing the database file into `struct STRUCTURE' data structures. */
|
|
|
00db10 |
|
|
|
00db10 |
+typedef enum
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ gcr_ok = 0,
|
|
|
00db10 |
+ gcr_error = -1,
|
|
|
00db10 |
+ gcr_overflow = -2
|
|
|
00db10 |
+} get_contents_ret;
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Hack around the fact that fgets only accepts int sizes. */
|
|
|
00db10 |
+static get_contents_ret
|
|
|
00db10 |
+get_contents (char *linebuf, size_t len, FILE *stream)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ size_t remaining_len = len;
|
|
|
00db10 |
+ char *curbuf = linebuf;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ do
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
|
|
|
00db10 |
+ : remaining_len);
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Terminate the line so that we can test for overflow. */
|
|
|
00db10 |
+ ((unsigned char *) curbuf)[curlen - 1] = 0xff;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ char *p = fgets_unlocked (curbuf, curlen, stream);
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* EOF or read error. */
|
|
|
00db10 |
+ if (p == NULL)
|
|
|
00db10 |
+ return gcr_error;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Done reading in the line. */
|
|
|
00db10 |
+ if (((unsigned char *) curbuf)[curlen - 1] == 0xff)
|
|
|
00db10 |
+ return gcr_ok;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Drop the terminating '\0'. */
|
|
|
00db10 |
+ remaining_len -= curlen - 1;
|
|
|
00db10 |
+ curbuf += curlen - 1;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ /* fgets copies one less than the input length. Our last iteration is of
|
|
|
00db10 |
+ REMAINING_LEN and once that is done, REMAINING_LEN is decremented by
|
|
|
00db10 |
+ REMAINING_LEN - 1, leaving the result as 1. */
|
|
|
00db10 |
+ while (remaining_len > 1);
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* This means that the current buffer was not large enough. */
|
|
|
00db10 |
+ return gcr_overflow;
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Parsing the database file into `struct STRUCTURE' data structures. */
|
|
|
00db10 |
static enum nss_status
|
|
|
00db10 |
internal_getent (struct STRUCTURE *result,
|
|
|
00db10 |
char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
|
|
|
00db10 |
@@ -188,7 +233,7 @@
|
|
|
00db10 |
{
|
|
|
00db10 |
char *p;
|
|
|
00db10 |
struct parser_data *data = (void *) buffer;
|
|
|
00db10 |
- int linebuflen = buffer + buflen - data->linebuffer;
|
|
|
00db10 |
+ size_t linebuflen = buffer + buflen - data->linebuffer;
|
|
|
00db10 |
int parse_result;
|
|
|
00db10 |
|
|
|
00db10 |
if (buflen < sizeof *data + 2)
|
|
|
00db10 |
@@ -200,17 +245,16 @@
|
|
|
00db10 |
|
|
|
00db10 |
do
|
|
|
00db10 |
{
|
|
|
00db10 |
- /* Terminate the line so that we can test for overflow. */
|
|
|
00db10 |
- ((unsigned char *) data->linebuffer)[linebuflen - 1] = '\xff';
|
|
|
00db10 |
+ get_contents_ret r = get_contents (data->linebuffer, linebuflen, stream);
|
|
|
00db10 |
|
|
|
00db10 |
- p = fgets_unlocked (data->linebuffer, linebuflen, stream);
|
|
|
00db10 |
- if (p == NULL)
|
|
|
00db10 |
+ if (r == gcr_error)
|
|
|
00db10 |
{
|
|
|
00db10 |
/* End of file or read error. */
|
|
|
00db10 |
H_ERRNO_SET (HOST_NOT_FOUND);
|
|
|
00db10 |
return NSS_STATUS_NOTFOUND;
|
|
|
00db10 |
}
|
|
|
00db10 |
- else if (((unsigned char *) data->linebuffer)[linebuflen - 1] != 0xff)
|
|
|
00db10 |
+
|
|
|
00db10 |
+ if (r == gcr_overflow)
|
|
|
00db10 |
{
|
|
|
00db10 |
/* The line is too long. Give the user the opportunity to
|
|
|
00db10 |
enlarge the buffer. */
|
|
|
00db10 |
@@ -219,7 +263,8 @@
|
|
|
00db10 |
return NSS_STATUS_TRYAGAIN;
|
|
|
00db10 |
}
|
|
|
00db10 |
|
|
|
00db10 |
- /* Skip leading blanks. */
|
|
|
00db10 |
+ /* Everything OK. Now skip leading blanks. */
|
|
|
00db10 |
+ p = data->linebuffer;
|
|
|
00db10 |
while (isspace (*p))
|
|
|
00db10 |
++p;
|
|
|
00db10 |
}
|
|
|
00db10 |
|
|
|
00db10 |
diff a/nss/bug17079.c b/nss/bug17079.c
|
|
|
00db10 |
--- /dev/null
|
|
|
00db10 |
+++ b/nss/bug17079.c
|
|
|
00db10 |
@@ -0,0 +1,236 @@
|
|
|
00db10 |
+/* Test for bug 17079: heap overflow in NSS with small buffers.
|
|
|
00db10 |
+ Copyright (C) 2015 Free Software Foundation, Inc.
|
|
|
00db10 |
+ This file is part of the GNU C Library.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
00db10 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
00db10 |
+ License as published by the Free Software Foundation; either
|
|
|
00db10 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
00db10 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
00db10 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
00db10 |
+ Lesser General Public License for more details.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
00db10 |
+ License along with the GNU C Library; if not, see
|
|
|
00db10 |
+ <http://www.gnu.org/licenses/>. */
|
|
|
00db10 |
+
|
|
|
00db10 |
+#include <errno.h>
|
|
|
00db10 |
+#include <pwd.h>
|
|
|
00db10 |
+#include <stdbool.h>
|
|
|
00db10 |
+#include <stdio.h>
|
|
|
00db10 |
+#include <stdlib.h>
|
|
|
00db10 |
+#include <string.h>
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Check if two passwd structs contain the same data. */
|
|
|
00db10 |
+static bool
|
|
|
00db10 |
+equal (const struct passwd *a, const struct passwd *b)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ return strcmp (a->pw_name, b->pw_name) == 0
|
|
|
00db10 |
+ && strcmp (a->pw_passwd, b->pw_passwd) == 0
|
|
|
00db10 |
+ && a->pw_uid == b->pw_uid
|
|
|
00db10 |
+ && a->pw_gid == b->pw_gid
|
|
|
00db10 |
+ && strcmp (a->pw_gecos, b->pw_gecos) == 0
|
|
|
00db10 |
+ && strcmp (a->pw_dir, b->pw_dir) == 0
|
|
|
00db10 |
+ && strcmp (a->pw_shell, b->pw_shell) == 0;
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+enum { MAX_TEST_ITEMS = 10 };
|
|
|
00db10 |
+static struct passwd test_items[MAX_TEST_ITEMS];
|
|
|
00db10 |
+static int test_count;
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Initialize test_items and test_count above, with data from the
|
|
|
00db10 |
+ passwd database. */
|
|
|
00db10 |
+static bool
|
|
|
00db10 |
+init_test_items (void)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ setpwent ();
|
|
|
00db10 |
+ do
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ struct passwd *pwd = getpwent ();
|
|
|
00db10 |
+ if (pwd == NULL)
|
|
|
00db10 |
+ break;
|
|
|
00db10 |
+ struct passwd *target = test_items + test_count;
|
|
|
00db10 |
+ target->pw_name = strdup (pwd->pw_name);
|
|
|
00db10 |
+ target->pw_passwd = strdup (pwd->pw_passwd);
|
|
|
00db10 |
+ target->pw_uid = pwd->pw_uid;
|
|
|
00db10 |
+ target->pw_gid = pwd->pw_gid;
|
|
|
00db10 |
+ target->pw_gecos = strdup (pwd->pw_gecos);
|
|
|
00db10 |
+ target->pw_dir = strdup (pwd->pw_dir);
|
|
|
00db10 |
+ target->pw_shell = strdup (pwd->pw_shell);
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ while (++test_count < MAX_TEST_ITEMS);
|
|
|
00db10 |
+ endpwent ();
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Filter out those test items which cannot be looked up by name or
|
|
|
00db10 |
+ UID. */
|
|
|
00db10 |
+ bool found = false;
|
|
|
00db10 |
+ for (int i = 0; i < test_count; ++i)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
|
|
|
00db10 |
+ struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
|
|
|
00db10 |
+ if (pwd1 == NULL || !equal (pwd1, test_items + i)
|
|
|
00db10 |
+ || pwd2 == NULL || !equal (pwd2, test_items + i))
|
|
|
00db10 |
+ test_items[i].pw_name = NULL;
|
|
|
00db10 |
+ else
|
|
|
00db10 |
+ found = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+
|
|
|
00db10 |
+ if (!found)
|
|
|
00db10 |
+ puts ("error: no accounts found which can be looked up by name and UID.");
|
|
|
00db10 |
+ return found;
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Set to true if an error is encountered. */
|
|
|
00db10 |
+static bool errors;
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Return true if the padding has not been tampered with. */
|
|
|
00db10 |
+static bool
|
|
|
00db10 |
+check_padding (char *buffer, size_t size, char pad)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ char *end = buffer + size;
|
|
|
00db10 |
+ while (buffer < end)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ if (*buffer != pad)
|
|
|
00db10 |
+ return false;
|
|
|
00db10 |
+ ++buffer;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ return true;
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Test one buffer size and padding combination. */
|
|
|
00db10 |
+static void
|
|
|
00db10 |
+test_one (const struct passwd *item, size_t buffer_size,
|
|
|
00db10 |
+ char pad, size_t padding_size)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ char *buffer = malloc (buffer_size + padding_size);
|
|
|
00db10 |
+ if (buffer == NULL)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ puts ("error: malloc failure");
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ return;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+
|
|
|
00db10 |
+ struct passwd pwd;
|
|
|
00db10 |
+ struct passwd *result;
|
|
|
00db10 |
+ int ret;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Test getpwname_r. */
|
|
|
00db10 |
+ memset (buffer, pad, buffer_size + padding_size);
|
|
|
00db10 |
+ pwd = (struct passwd) {};
|
|
|
00db10 |
+ ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
|
|
|
00db10 |
+ if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: padding change: "
|
|
|
00db10 |
+ "name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
|
00db10 |
+ item->pw_name, buffer_size, padding_size, (unsigned char) pad);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ if (ret == 0)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ if (result == NULL)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: no data: name \"%s\", buffer size %zu\n",
|
|
|
00db10 |
+ item->pw_name, buffer_size);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ else if (!equal (item, result))
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
|
|
|
00db10 |
+ item->pw_name, buffer_size);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ else if (ret != ERANGE)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ errno = ret;
|
|
|
00db10 |
+ printf ("error: lookup failure for name \"%s\": %m (%d)\n",
|
|
|
00db10 |
+ item->pw_name, ret);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+
|
|
|
00db10 |
+ /* Test getpwuid_r. */
|
|
|
00db10 |
+ memset (buffer, pad, buffer_size + padding_size);
|
|
|
00db10 |
+ pwd = (struct passwd) {};
|
|
|
00db10 |
+ ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
|
|
|
00db10 |
+ if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: padding change: "
|
|
|
00db10 |
+ "UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
|
00db10 |
+ (long) item->pw_uid, buffer_size, padding_size,
|
|
|
00db10 |
+ (unsigned char) pad);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ if (ret == 0)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ if (result == NULL)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: no data: UID %ld, buffer size %zu\n",
|
|
|
00db10 |
+ (long) item->pw_uid, buffer_size);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ else if (!equal (item, result))
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
|
|
|
00db10 |
+ (long) item->pw_uid, buffer_size);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ else if (ret != ERANGE)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ errno = ret;
|
|
|
00db10 |
+ printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
|
|
|
00db10 |
+ (long) item->pw_uid, ret);
|
|
|
00db10 |
+ errors = true;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+
|
|
|
00db10 |
+ free (buffer);
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* Test one buffer size with different paddings. */
|
|
|
00db10 |
+static void
|
|
|
00db10 |
+test_buffer_size (size_t buffer_size)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ for (int i = 0; i < test_count; ++i)
|
|
|
00db10 |
+ for (size_t padding_size = 0; padding_size < 3; ++padding_size)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ test_one (test_items + i, buffer_size, '\0', padding_size);
|
|
|
00db10 |
+ if (padding_size > 0)
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ test_one (test_items + i, buffer_size, ':', padding_size);
|
|
|
00db10 |
+ test_one (test_items + i, buffer_size, '\n', padding_size);
|
|
|
00db10 |
+ test_one (test_items + i, buffer_size, '\xff', padding_size);
|
|
|
00db10 |
+ test_one (test_items + i, buffer_size, '@', padding_size);
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+ }
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+int
|
|
|
00db10 |
+do_test (void)
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ if (!init_test_items ())
|
|
|
00db10 |
+ return 1;
|
|
|
00db10 |
+ printf ("info: %d test items\n", test_count);
|
|
|
00db10 |
+
|
|
|
00db10 |
+ for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
|
|
|
00db10 |
+ test_buffer_size (buffer_size);
|
|
|
00db10 |
+ for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
|
|
|
00db10 |
+ test_buffer_size (buffer_size);
|
|
|
00db10 |
+ test_buffer_size (255);
|
|
|
00db10 |
+ test_buffer_size (257);
|
|
|
00db10 |
+ for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
|
|
|
00db10 |
+ test_buffer_size (buffer_size);
|
|
|
00db10 |
+ test_buffer_size (511);
|
|
|
00db10 |
+ test_buffer_size (513);
|
|
|
00db10 |
+ test_buffer_size (1024);
|
|
|
00db10 |
+ test_buffer_size (2048);
|
|
|
00db10 |
+
|
|
|
00db10 |
+ if (errors)
|
|
|
00db10 |
+ return 1;
|
|
|
00db10 |
+ else
|
|
|
00db10 |
+ return 0;
|
|
|
00db10 |
+}
|
|
|
00db10 |
+
|
|
|
00db10 |
+#define TEST_FUNCTION do_test ()
|
|
|
00db10 |
+#include "../test-skeleton.c"
|
|
|
00db10 |
diff a/nss/Makefile b/nss/Makefile
|
|
|
00db10 |
--- a/nss/Makefile
|
|
|
00db10 |
+++ b/nss/Makefile
|
|
|
00db10 |
@@ -39,6 +39,6 @@
|
|
|
00db10 |
extra-objs += $(makedb-modules:=.o)
|
|
|
00db10 |
|
|
|
00db10 |
-tests = test-netdb tst-nss-test1
|
|
|
00db10 |
+tests = test-netdb tst-nss-test1 bug17079
|
|
|
00db10 |
xtests = bug-erange
|
|
|
00db10 |
|
|
|
00db10 |
include ../Makeconfig
|