|
|
2e9afc |
commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
|
|
|
2e9afc |
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
2e9afc |
Date: Wed Oct 30 16:13:37 2013 +0530
|
|
|
2e9afc |
|
|
|
2e9afc |
Fix reads for sizes larger than INT_MAX in AF_INET lookup
|
|
|
2e9afc |
|
|
|
2e9afc |
Currently for AF_INET lookups from the hosts file, buffer sizes larger
|
|
|
2e9afc |
than INT_MAX silently overflow and may result in access beyond bounds
|
|
|
2e9afc |
of a buffer. This happens when the number of results in an AF_INET
|
|
|
2e9afc |
lookup in /etc/hosts are very large.
|
|
|
2e9afc |
|
|
|
2e9afc |
There are two aspects to the problem. One problem is that the size
|
|
|
2e9afc |
computed from the buffer size is stored into an int, which results in
|
|
|
2e9afc |
overflow for large sizes. Additionally, even if this size was
|
|
|
2e9afc |
expanded, the function used to read content into the buffer (fgets)
|
|
|
2e9afc |
accepts only int sizes. As a result, the fix is to have a function
|
|
|
2e9afc |
wrap around fgets that calls it multiple times with int sizes if
|
|
|
2e9afc |
necessary.
|
|
|
2e9afc |
|
|
|
2e9afc |
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
|
|
|
2e9afc |
index 082d1ea..b62208c 100644
|
|
|
2e9afc |
--- a/nss/nss_files/files-XXX.c
|
|
|
2e9afc |
+++ b/nss/nss_files/files-XXX.c
|
|
|
2e9afc |
@@ -179,8 +179,51 @@ CONCAT(_nss_files_end,ENTNAME) (void)
|
|
|
2e9afc |
return NSS_STATUS_SUCCESS;
|
|
|
2e9afc |
}
|
|
|
2e9afc |
|
|
|
2e9afc |
-/* Parsing the database file into `struct STRUCTURE' data structures. */
|
|
|
2e9afc |
|
|
|
2e9afc |
+typedef enum
|
|
|
2e9afc |
+{
|
|
|
2e9afc |
+ gcr_ok = 0,
|
|
|
2e9afc |
+ gcr_error = -1,
|
|
|
2e9afc |
+ gcr_overflow = -2
|
|
|
2e9afc |
+} get_contents_ret;
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+/* Hack around the fact that fgets only accepts int sizes. */
|
|
|
2e9afc |
+static get_contents_ret
|
|
|
2e9afc |
+get_contents (char *linebuf, size_t len, FILE *stream)
|
|
|
2e9afc |
+{
|
|
|
2e9afc |
+ size_t remaining_len = len;
|
|
|
2e9afc |
+ char *curbuf = linebuf;
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ do
|
|
|
2e9afc |
+ {
|
|
|
2e9afc |
+ int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
|
|
|
2e9afc |
+ : remaining_len);
|
|
|
2e9afc |
+ char *p = fgets_unlocked (curbuf, curlen, stream);
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ ((unsigned char *) curbuf)[curlen - 1] = 0xff;
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ /* EOF or read error. */
|
|
|
2e9afc |
+ if (p == NULL)
|
|
|
2e9afc |
+ return gcr_error;
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ /* Done reading in the line. */
|
|
|
2e9afc |
+ if (((unsigned char *) curbuf)[curlen - 1] == 0xff)
|
|
|
2e9afc |
+ return gcr_ok;
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ /* Drop the terminating '\0'. */
|
|
|
2e9afc |
+ remaining_len -= curlen - 1;
|
|
|
2e9afc |
+ curbuf += curlen - 1;
|
|
|
2e9afc |
+ }
|
|
|
2e9afc |
+ /* fgets copies one less than the input length. Our last iteration is of
|
|
|
2e9afc |
+ REMAINING_LEN and once that is done, REMAINING_LEN is decremented by
|
|
|
2e9afc |
+ REMAINING_LEN - 1, leaving the result as 1. */
|
|
|
2e9afc |
+ while (remaining_len > 1);
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ /* This means that the current buffer was not large enough. */
|
|
|
2e9afc |
+ return gcr_overflow;
|
|
|
2e9afc |
+}
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+/* Parsing the database file into `struct STRUCTURE' data structures. */
|
|
|
2e9afc |
static enum nss_status
|
|
|
2e9afc |
internal_getent (struct STRUCTURE *result,
|
|
|
2e9afc |
char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
|
|
|
2e9afc |
@@ -188,7 +231,7 @@ internal_getent (struct STRUCTURE *result,
|
|
|
2e9afc |
{
|
|
|
2e9afc |
char *p;
|
|
|
2e9afc |
struct parser_data *data = (void *) buffer;
|
|
|
2e9afc |
- int linebuflen = buffer + buflen - data->linebuffer;
|
|
|
2e9afc |
+ size_t linebuflen = buffer + buflen - data->linebuffer;
|
|
|
2e9afc |
int parse_result;
|
|
|
2e9afc |
|
|
|
2e9afc |
if (buflen < sizeof *data + 2)
|
|
|
2e9afc |
@@ -200,17 +243,16 @@ internal_getent (struct STRUCTURE *result,
|
|
|
2e9afc |
|
|
|
2e9afc |
do
|
|
|
2e9afc |
{
|
|
|
2e9afc |
- /* Terminate the line so that we can test for overflow. */
|
|
|
2e9afc |
- ((unsigned char *) data->linebuffer)[linebuflen - 1] = '\xff';
|
|
|
2e9afc |
+ get_contents_ret r = get_contents (data->linebuffer, linebuflen, stream);
|
|
|
2e9afc |
|
|
|
2e9afc |
- p = fgets_unlocked (data->linebuffer, linebuflen, stream);
|
|
|
2e9afc |
- if (p == NULL)
|
|
|
2e9afc |
+ if (r == gcr_error)
|
|
|
2e9afc |
{
|
|
|
2e9afc |
/* End of file or read error. */
|
|
|
2e9afc |
H_ERRNO_SET (HOST_NOT_FOUND);
|
|
|
2e9afc |
return NSS_STATUS_NOTFOUND;
|
|
|
2e9afc |
}
|
|
|
2e9afc |
- else if (((unsigned char *) data->linebuffer)[linebuflen - 1] != 0xff)
|
|
|
2e9afc |
+
|
|
|
2e9afc |
+ if (r == gcr_overflow)
|
|
|
2e9afc |
{
|
|
|
2e9afc |
/* The line is too long. Give the user the opportunity to
|
|
|
2e9afc |
enlarge the buffer. */
|
|
|
2e9afc |
@@ -219,7 +261,8 @@ internal_getent (struct STRUCTURE *result,
|
|
|
2e9afc |
return NSS_STATUS_TRYAGAIN;
|
|
|
2e9afc |
}
|
|
|
2e9afc |
|
|
|
2e9afc |
- /* Skip leading blanks. */
|
|
|
2e9afc |
+ /* Everything OK. Now skip leading blanks. */
|
|
|
2e9afc |
+ p = data->linebuffer;
|
|
|
2e9afc |
while (isspace (*p))
|
|
|
2e9afc |
++p;
|
|
|
2e9afc |
}
|