commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Wed Oct 30 16:13:37 2013 +0530
Fix reads for sizes larger than INT_MAX in AF_INET lookup
Currently for AF_INET lookups from the hosts file, buffer sizes larger
than INT_MAX silently overflow and may result in access beyond bounds
of a buffer. This happens when the number of results in an AF_INET
lookup in /etc/hosts are very large.
There are two aspects to the problem. One problem is that the size
computed from the buffer size is stored into an int, which results in
overflow for large sizes. Additionally, even if this size was
expanded, the function used to read content into the buffer (fgets)
accepts only int sizes. As a result, the fix is to have a function
wrap around fgets that calls it multiple times with int sizes if
necessary.
(The previous commit fixes upstream bug 16071.)
commit ac60763eac3d43b7234dd21286ad3ec3f17957fc
Author: Andreas Schwab <schwab@suse.de>
Date: Mon Jun 23 10:24:45 2014 +0200
Don't ignore too long lines in nss_files (BZ #17079)
commit e07aabba73ea62e7dfa0512507c92efb851fbdbe
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Sep 22 13:20:18 2015 +0200
Add test case for bug 18287
commit 90fa42a1d7b78de0d75f7e3af362275b2abe807f
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Sep 22 13:40:17 2015 +0200
Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079
diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
--- b/nss/nss_files/files-XXX.c
+++ b/nss/nss_files/files-XXX.c
@@ -179,8 +179,53 @@
return NSS_STATUS_SUCCESS;
}
-/* Parsing the database file into `struct STRUCTURE' data structures. */
+typedef enum
+{
+ gcr_ok = 0,
+ gcr_error = -1,
+ gcr_overflow = -2
+} get_contents_ret;
+
+/* Hack around the fact that fgets only accepts int sizes. */
+static get_contents_ret
+get_contents (char *linebuf, size_t len, FILE *stream)
+{
+ size_t remaining_len = len;
+ char *curbuf = linebuf;
+
+ do
+ {
+ int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
+ : remaining_len);
+
+ /* Terminate the line so that we can test for overflow. */
+ ((unsigned char *) curbuf)[curlen - 1] = 0xff;
+
+ char *p = fgets_unlocked (curbuf, curlen, stream);
+
+ /* EOF or read error. */
+ if (p == NULL)
+ return gcr_error;
+
+ /* Done reading in the line. */
+ if (((unsigned char *) curbuf)[curlen - 1] == 0xff)
+ return gcr_ok;
+
+ /* Drop the terminating '\0'. */
+ remaining_len -= curlen - 1;
+ curbuf += curlen - 1;
+ }
+ /* fgets copies one less than the input length. Our last iteration is of
+ REMAINING_LEN and once that is done, REMAINING_LEN is decremented by
+ REMAINING_LEN - 1, leaving the result as 1. */
+ while (remaining_len > 1);
+
+ /* This means that the current buffer was not large enough. */
+ return gcr_overflow;
+}
+
+/* Parsing the database file into `struct STRUCTURE' data structures. */
static enum nss_status
internal_getent (struct STRUCTURE *result,
char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
@@ -188,7 +233,7 @@
{
char *p;
struct parser_data *data = (void *) buffer;
- int linebuflen = buffer + buflen - data->linebuffer;
+ size_t linebuflen = buffer + buflen - data->linebuffer;
int parse_result;
if (buflen < sizeof *data + 2)
@@ -200,17 +245,16 @@
do
{
- /* Terminate the line so that we can test for overflow. */
- ((unsigned char *) data->linebuffer)[linebuflen - 1] = '\xff';
+ get_contents_ret r = get_contents (data->linebuffer, linebuflen, stream);
- p = fgets_unlocked (data->linebuffer, linebuflen, stream);
- if (p == NULL)
+ if (r == gcr_error)
{
/* End of file or read error. */
H_ERRNO_SET (HOST_NOT_FOUND);
return NSS_STATUS_NOTFOUND;
}
- else if (((unsigned char *) data->linebuffer)[linebuflen - 1] != 0xff)
+
+ if (r == gcr_overflow)
{
/* The line is too long. Give the user the opportunity to
enlarge the buffer. */
@@ -219,7 +263,8 @@
return NSS_STATUS_TRYAGAIN;
}
- /* Skip leading blanks. */
+ /* Everything OK. Now skip leading blanks. */
+ p = data->linebuffer;
while (isspace (*p))
++p;
}
diff a/nss/bug17079.c b/nss/bug17079.c
--- /dev/null
+++ b/nss/bug17079.c
@@ -0,0 +1,236 @@
+/* Test for bug 17079: heap overflow in NSS with small buffers.
+ Copyright (C) 2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Check if two passwd structs contain the same data. */
+static bool
+equal (const struct passwd *a, const struct passwd *b)
+{
+ return strcmp (a->pw_name, b->pw_name) == 0
+ && strcmp (a->pw_passwd, b->pw_passwd) == 0
+ && a->pw_uid == b->pw_uid
+ && a->pw_gid == b->pw_gid
+ && strcmp (a->pw_gecos, b->pw_gecos) == 0
+ && strcmp (a->pw_dir, b->pw_dir) == 0
+ && strcmp (a->pw_shell, b->pw_shell) == 0;
+}
+
+enum { MAX_TEST_ITEMS = 10 };
+static struct passwd test_items[MAX_TEST_ITEMS];
+static int test_count;
+
+/* Initialize test_items and test_count above, with data from the
+ passwd database. */
+static bool
+init_test_items (void)
+{
+ setpwent ();
+ do
+ {
+ struct passwd *pwd = getpwent ();
+ if (pwd == NULL)
+ break;
+ struct passwd *target = test_items + test_count;
+ target->pw_name = strdup (pwd->pw_name);
+ target->pw_passwd = strdup (pwd->pw_passwd);
+ target->pw_uid = pwd->pw_uid;
+ target->pw_gid = pwd->pw_gid;
+ target->pw_gecos = strdup (pwd->pw_gecos);
+ target->pw_dir = strdup (pwd->pw_dir);
+ target->pw_shell = strdup (pwd->pw_shell);
+ }
+ while (++test_count < MAX_TEST_ITEMS);
+ endpwent ();
+
+ /* Filter out those test items which cannot be looked up by name or
+ UID. */
+ bool found = false;
+ for (int i = 0; i < test_count; ++i)
+ {
+ struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
+ struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
+ if (pwd1 == NULL || !equal (pwd1, test_items + i)
+ || pwd2 == NULL || !equal (pwd2, test_items + i))
+ test_items[i].pw_name = NULL;
+ else
+ found = true;
+ }
+
+ if (!found)
+ puts ("error: no accounts found which can be looked up by name and UID.");
+ return found;
+}
+
+/* Set to true if an error is encountered. */
+static bool errors;
+
+/* Return true if the padding has not been tampered with. */
+static bool
+check_padding (char *buffer, size_t size, char pad)
+{
+ char *end = buffer + size;
+ while (buffer < end)
+ {
+ if (*buffer != pad)
+ return false;
+ ++buffer;
+ }
+ return true;
+}
+
+/* Test one buffer size and padding combination. */
+static void
+test_one (const struct passwd *item, size_t buffer_size,
+ char pad, size_t padding_size)
+{
+ char *buffer = malloc (buffer_size + padding_size);
+ if (buffer == NULL)
+ {
+ puts ("error: malloc failure");
+ errors = true;
+ return;
+ }
+
+ struct passwd pwd;
+ struct passwd *result;
+ int ret;
+
+ /* Test getpwname_r. */
+ memset (buffer, pad, buffer_size + padding_size);
+ pwd = (struct passwd) {};
+ ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
+ if (!check_padding (buffer + buffer_size, padding_size, pad))
+ {
+ printf ("error: padding change: "
+ "name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
+ item->pw_name, buffer_size, padding_size, (unsigned char) pad);
+ errors = true;
+ }
+ if (ret == 0)
+ {
+ if (result == NULL)
+ {
+ printf ("error: no data: name \"%s\", buffer size %zu\n",
+ item->pw_name, buffer_size);
+ errors = true;
+ }
+ else if (!equal (item, result))
+ {
+ printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
+ item->pw_name, buffer_size);
+ errors = true;
+ }
+ }
+ else if (ret != ERANGE)
+ {
+ errno = ret;
+ printf ("error: lookup failure for name \"%s\": %m (%d)\n",
+ item->pw_name, ret);
+ errors = true;
+ }
+
+ /* Test getpwuid_r. */
+ memset (buffer, pad, buffer_size + padding_size);
+ pwd = (struct passwd) {};
+ ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
+ if (!check_padding (buffer + buffer_size, padding_size, pad))
+ {
+ printf ("error: padding change: "
+ "UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
+ (long) item->pw_uid, buffer_size, padding_size,
+ (unsigned char) pad);
+ errors = true;
+ }
+ if (ret == 0)
+ {
+ if (result == NULL)
+ {
+ printf ("error: no data: UID %ld, buffer size %zu\n",
+ (long) item->pw_uid, buffer_size);
+ errors = true;
+ }
+ else if (!equal (item, result))
+ {
+ printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
+ (long) item->pw_uid, buffer_size);
+ errors = true;
+ }
+ }
+ else if (ret != ERANGE)
+ {
+ errno = ret;
+ printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
+ (long) item->pw_uid, ret);
+ errors = true;
+ }
+
+ free (buffer);
+}
+
+/* Test one buffer size with different paddings. */
+static void
+test_buffer_size (size_t buffer_size)
+{
+ for (int i = 0; i < test_count; ++i)
+ for (size_t padding_size = 0; padding_size < 3; ++padding_size)
+ {
+ test_one (test_items + i, buffer_size, '\0', padding_size);
+ if (padding_size > 0)
+ {
+ test_one (test_items + i, buffer_size, ':', padding_size);
+ test_one (test_items + i, buffer_size, '\n', padding_size);
+ test_one (test_items + i, buffer_size, '\xff', padding_size);
+ test_one (test_items + i, buffer_size, '@', padding_size);
+ }
+ }
+}
+
+int
+do_test (void)
+{
+ if (!init_test_items ())
+ return 1;
+ printf ("info: %d test items\n", test_count);
+
+ for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
+ test_buffer_size (buffer_size);
+ for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
+ test_buffer_size (buffer_size);
+ test_buffer_size (255);
+ test_buffer_size (257);
+ for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
+ test_buffer_size (buffer_size);
+ test_buffer_size (511);
+ test_buffer_size (513);
+ test_buffer_size (1024);
+ test_buffer_size (2048);
+
+ if (errors)
+ return 1;
+ else
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff a/nss/Makefile b/nss/Makefile
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -39,6 +39,6 @@
extra-objs += $(makedb-modules:=.o)
-tests = test-netdb tst-nss-test1
+tests = test-netdb tst-nss-test1 bug17079
xtests = bug-erange
include ../Makeconfig