diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | nscd/nscd-client.h | 2 | ||||
-rw-r--r-- | nscd/nscd_getai.c | 7 | ||||
-rw-r--r-- | nscd/nscd_getgr_r.c | 16 | ||||
-rw-r--r-- | nscd/nscd_gethst_r.c | 10 | ||||
-rw-r--r-- | nscd/nscd_getpw_r.c | 22 |
6 files changed, 61 insertions, 5 deletions
@@ -1,5 +1,14 @@ 2004-11-09 Ulrich Drepper <drepper@redhat.com> + * nscd/nscd-client.h (libc_locked_map_ptr): Add new first + parameter, used as class for definition. + * nscd/nscd_getpw_r.c: Adjust for libc_locked_map_ptr change. + (pw_map_free): Ensure no crash after memory is freed. + * nscd/nscd_getgr.c: Likewise. Make map externally visible. + * nscd/nscd_gethst.c: Likewise. + * nscd/nscd_getai.c: Use map from nscd_gethost.c. + * nscd/nscd_initgroups.c: Use map from nscd_getgr.c. + * nscd/nscd_getai.c: Add some checks to detect corrupt databases. * nscd/nscd_getgr_r.c: Likewise * nscd/nscd_gethst_r.c: Likewise. diff --git a/nscd/nscd-client.h b/nscd/nscd-client.h index 2e7f27b8d5..d49cb8136c 100644 --- a/nscd/nscd-client.h +++ b/nscd/nscd-client.h @@ -264,7 +264,7 @@ struct locked_map_ptr int lock; struct mapped_database *mapped; }; -#define libc_locked_map_ptr(name) static struct locked_map_ptr name +#define libc_locked_map_ptr(class, name) class struct locked_map_ptr name /* Open socket connection to nscd server. */ diff --git a/nscd/nscd_getai.c b/nscd/nscd_getai.c index a683976d87..390b981f99 100644 --- a/nscd/nscd_getai.c +++ b/nscd/nscd_getai.c @@ -142,6 +142,12 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop) /* Copy the data in the block. */ memcpy (resultbuf + 1, respdata, datalen); + /* Try to detect corrupt databases. */ + if (resultbuf->canon != NULL + && resultbuf->canon[ai_resp->canonlen - 1] != '\0') + /* We cannot use the database. */ + goto out_close; + retval = 0; *result = resultbuf; } @@ -157,6 +163,7 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop) retval = 0; } + out_close: if (sock != -1) close_not_cancel_no_status (sock); out: diff --git a/nscd/nscd_getgr_r.c b/nscd/nscd_getgr_r.c index 1b94bf584f..fc10d3ea60 100644 --- a/nscd/nscd_getgr_r.c +++ b/nscd/nscd_getgr_r.c @@ -204,7 +204,8 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type, else /* We already have the data. Just copy the group name and password. */ - memcpy (resultbuf->gr_name, gr_name, gr_name_len); + memcpy (resultbuf->gr_name, gr_name, + gr_resp->gr_name_len + gr_resp->gr_passwd_len); /* Clear the terminating entry. */ resultbuf->gr_mem[gr_resp->gr_mem_cnt] = NULL; @@ -242,6 +243,19 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type, /* Copy the group member names. */ memcpy (resultbuf->gr_mem[0], gr_name + gr_name_len, total_len); + /* Try to detect corrupt databases. */ + if (resultbuf->gr_name[gr_name_len - 1] != '\0' + || resultbuf->gr_passwd[gr_resp->gr_passwd_len - 1] != '\0' + || ({for (cnt = 0; cnt < gr_resp->gr_mem_cnt; ++cnt) + if (resultbuf->gr_mem[cnt][len[cnt] - 1] != '\0') + break; + cnt < gr_resp->gr_mem_cnt; })) + { + /* We cannot use the database. */ + retval = -1; + goto out_close; + } + *result = resultbuf; } } diff --git a/nscd/nscd_gethst_r.c b/nscd/nscd_gethst_r.c index 407be1441f..64d02fedc7 100644 --- a/nscd/nscd_gethst_r.c +++ b/nscd/nscd_gethst_r.c @@ -336,6 +336,16 @@ nscd_gethst_r (const char *key, size_t keylen, request_type type, memcpy (resultbuf->h_aliases[0], (const char *) addr_list + addr_list_len, total_len); + /* Try to detect corrupt databases. */ + if (resultbuf->h_name[hst_resp->h_name_len - 1] != '\0' + || ({for (cnt = 0; cnt < hst_resp->h_aliases_cnt; ++cnt) + if (resultbuf->h_aliases[cnt][aliases_len[cnt] - 1] + != '\0') + break; + cnt < hst_resp->h_aliases_cnt; })) + /* We cannot use the database. */ + goto out_close; + retval = 0; *result = resultbuf; } diff --git a/nscd/nscd_getpw_r.c b/nscd/nscd_getpw_r.c index b04dcfaa99..fe5fb43ca1 100644 --- a/nscd/nscd_getpw_r.c +++ b/nscd/nscd_getpw_r.c @@ -66,14 +66,18 @@ __nscd_getpwuid_r (uid_t uid, struct passwd *resultbuf, char *buffer, } -libc_locked_map_ptr (map_handle); +libc_locked_map_ptr (static, map_handle); /* Note that we only free the structure if necessary. The memory mapping is not removed since it is not visible to the malloc handling. */ -libc_freeres_fn (gr_map_free) +libc_freeres_fn (pw_map_free) { if (map_handle.mapped != NO_MAPPING) - free (map_handle.mapped); + { + void *p = map_handle.mapped; + map_handle.mapped = NO_MAPPING; + free (p); + } } @@ -184,6 +188,18 @@ nscd_getpw_r (const char *key, size_t keylen, request_type type, /* Copy the various strings. */ memcpy (resultbuf->pw_name, pw_name, total); + /* Try to detect corrupt databases. */ + if (resultbuf->pw_name[pw_resp->pw_name_len - 1] != '\0' + || resultbuf->pw_passwd[pw_resp->pw_passwd_len - 1] != '\0' + || resultbuf->pw_gecos[pw_resp->pw_gecos_len - 1] != '\0' + || resultbuf->pw_dir[pw_resp->pw_dir_len - 1] != '\0' + || resultbuf->pw_shell[pw_resp->pw_shell_len - 1] != '\0') + { + /* We cannot use the database. */ + retval = -1; + goto out_close; + } + *result = resultbuf; } } |