From f9859498b52d89bf60dbddd898752f859f4952d3 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 15 Mar 2018 12:50:20 +0100

Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index

Netgroups are not looked up with the help of a single request but by

calling setnetgrent(), getnetgrent() and endnetgrent() where

getnetgrent() might be called multiple times depending on the number of

netgroup elements. Since the caller does not provide a state the state

has to be maintained by the SSSD nss responder. Besides the netgroup

name this is mainly the number of elements already returned.

This number is used to select the next element to return and currently

it is assumed that there are not changes to the netgroup while the

client is requesting the individual elements. But if e.g. the 3 nss

calls are not used correctly or the netgroup is modified while the

client is sending getnetgrent() calls the stored number might be out of

range. To be on the safe side the stored number should be always

compared with the current number of netgroup elements.

Related to https://pagure.io/SSSD/sssd/issue/3679

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)

DOWNSTREAM:

Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z]

---

 src/db/sysdb.h                         | 3 ++-

 src/db/sysdb_search.c                  | 5 ++++-

 src/responder/nss/nss_enum.c           | 3 ++-

 src/responder/nss/nss_private.h        | 1 +

 src/responder/nss/nss_protocol_netgr.c | 7 +++++++

 5 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h

index fd18ecefed2b2c5f35060fa47fd160a8968e073b..2660314a75a574d7f5625c8672e5261587056d1a 100644

--- a/src/db/sysdb.h

+++ b/src/db/sysdb.h

@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,

 errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,

                                struct ldb_result *res,

-                               struct sysdb_netgroup_ctx ***entries);

+                               struct sysdb_netgroup_ctx ***entries,

+                               size_t *netgroup_count);

 errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,

                           char **sanitized);

diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c

index a6a81e23d257331614085403b4dca8ded860600b..9f37cbcd50a778145518c15b6146ad812a5b4fa3 100644

--- a/src/db/sysdb_search.c

+++ b/src/db/sysdb_search.c

@@ -1829,7 +1829,8 @@ done:

 errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,

                                struct ldb_result *res,

-                               struct sysdb_netgroup_ctx ***entries)

+                               struct sysdb_netgroup_ctx ***entries,

+                               size_t *netgroup_count)

 {

     errno_t ret;

     size_t size = 0;

@@ -1933,6 +1934,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,

     tmp_entry[c] = NULL;

     *entries = talloc_steal(mem_ctx, tmp_entry);

+    *netgroup_count = c;

+

     ret = EOK;

 done:

diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c

index da844fbced529f606a3e98669fb7b95e0696ce00..b2b22bbae8a373ed3abb47381fabd989d4931690 100644

--- a/src/responder/nss/nss_enum.c

+++ b/src/responder/nss/nss_enum.c

@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)

             /* We need to expand the netgroup into triples and members. */

             ret = sysdb_netgr_to_entries(state->enum_ctx,

                                          result[0]->ldb_result,

-                                         &state->enum_ctx->netgroup);

+                                         &state->enum_ctx->netgroup,

+                                         &state->enum_ctx->netgroup_count);

             if (ret != EOK) {

                 goto done;

             }

diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h

index 5fc19d26be9adda4d967086e7b239e49a78866ee..aa8d8e9cde0d73e72d3aa4c186f104d6baae411f 100644

--- a/src/responder/nss/nss_private.h

+++ b/src/responder/nss/nss_private.h

@@ -41,6 +41,7 @@ struct nss_enum_index {

 struct nss_enum_ctx {

     struct cache_req_result **result;

     struct sysdb_netgroup_ctx **netgroup;

+    size_t netgroup_count;

     /* Ongoing cache request that is constructing enumeration result. */

     struct tevent_req *ongoing;

diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c

index ed04fd25821031554e20e14afebaca9b828a748b..9f27c6b78d47f188dea99600a634a18be2512bfb 100644

--- a/src/responder/nss/nss_protocol_netgr.c

+++ b/src/responder/nss/nss_protocol_netgr.c

@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,

     idx = cmd_ctx->enum_index;

     entries = cmd_ctx->enum_ctx->netgroup;

+    if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Unconsistent state while processing netgroups.\n");

+        ret = EINVAL;

+        goto done;

+    }

+

     /* First two fields (length and reserved), filled up later. */

     ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));

     if (ret != EOK) {

-- 

2.17.0