aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog9
-rw-r--r--nscd/nscd-client.h2
-rw-r--r--nscd/nscd_getai.c7
-rw-r--r--nscd/nscd_getgr_r.c16
-rw-r--r--nscd/nscd_gethst_r.c10
-rw-r--r--nscd/nscd_getpw_r.c22
6 files changed, 61 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 48c8d706d4..8adec4449d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
2004-11-09 Ulrich Drepper <drepper@redhat.com>
+ * nscd/nscd-client.h (libc_locked_map_ptr): Add new first
+ parameter, used as class for definition.
+ * nscd/nscd_getpw_r.c: Adjust for libc_locked_map_ptr change.
+ (pw_map_free): Ensure no crash after memory is freed.
+ * nscd/nscd_getgr.c: Likewise. Make map externally visible.
+ * nscd/nscd_gethst.c: Likewise.
+ * nscd/nscd_getai.c: Use map from nscd_gethost.c.
+ * nscd/nscd_initgroups.c: Use map from nscd_getgr.c.
+
* nscd/nscd_getai.c: Add some checks to detect corrupt databases.
* nscd/nscd_getgr_r.c: Likewise
* nscd/nscd_gethst_r.c: Likewise.
diff --git a/nscd/nscd-client.h b/nscd/nscd-client.h
index 2e7f27b8d5..d49cb8136c 100644
--- a/nscd/nscd-client.h
+++ b/nscd/nscd-client.h
@@ -264,7 +264,7 @@ struct locked_map_ptr
int lock;
struct mapped_database *mapped;
};
-#define libc_locked_map_ptr(name) static struct locked_map_ptr name
+#define libc_locked_map_ptr(class, name) class struct locked_map_ptr name
/* Open socket connection to nscd server. */
diff --git a/nscd/nscd_getai.c b/nscd/nscd_getai.c
index a683976d87..390b981f99 100644
--- a/nscd/nscd_getai.c
+++ b/nscd/nscd_getai.c
@@ -142,6 +142,12 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop)
/* Copy the data in the block. */
memcpy (resultbuf + 1, respdata, datalen);
+ /* Try to detect corrupt databases. */
+ if (resultbuf->canon != NULL
+ && resultbuf->canon[ai_resp->canonlen - 1] != '\0')
+ /* We cannot use the database. */
+ goto out_close;
+
retval = 0;
*result = resultbuf;
}
@@ -157,6 +163,7 @@ __nscd_getai (const char *key, struct nscd_ai_result **result, int *h_errnop)
retval = 0;
}
+ out_close:
if (sock != -1)
close_not_cancel_no_status (sock);
out:
diff --git a/nscd/nscd_getgr_r.c b/nscd/nscd_getgr_r.c
index 1b94bf584f..fc10d3ea60 100644
--- a/nscd/nscd_getgr_r.c
+++ b/nscd/nscd_getgr_r.c
@@ -204,7 +204,8 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
else
/* We already have the data. Just copy the group name and
password. */
- memcpy (resultbuf->gr_name, gr_name, gr_name_len);
+ memcpy (resultbuf->gr_name, gr_name,
+ gr_resp->gr_name_len + gr_resp->gr_passwd_len);
/* Clear the terminating entry. */
resultbuf->gr_mem[gr_resp->gr_mem_cnt] = NULL;
@@ -242,6 +243,19 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
/* Copy the group member names. */
memcpy (resultbuf->gr_mem[0], gr_name + gr_name_len, total_len);
+ /* Try to detect corrupt databases. */
+ if (resultbuf->gr_name[gr_name_len - 1] != '\0'
+ || resultbuf->gr_passwd[gr_resp->gr_passwd_len - 1] != '\0'
+ || ({for (cnt = 0; cnt < gr_resp->gr_mem_cnt; ++cnt)
+ if (resultbuf->gr_mem[cnt][len[cnt] - 1] != '\0')
+ break;
+ cnt < gr_resp->gr_mem_cnt; }))
+ {
+ /* We cannot use the database. */
+ retval = -1;
+ goto out_close;
+ }
+
*result = resultbuf;
}
}
diff --git a/nscd/nscd_gethst_r.c b/nscd/nscd_gethst_r.c
index 407be1441f..64d02fedc7 100644
--- a/nscd/nscd_gethst_r.c
+++ b/nscd/nscd_gethst_r.c
@@ -336,6 +336,16 @@ nscd_gethst_r (const char *key, size_t keylen, request_type type,
memcpy (resultbuf->h_aliases[0],
(const char *) addr_list + addr_list_len, total_len);
+ /* Try to detect corrupt databases. */
+ if (resultbuf->h_name[hst_resp->h_name_len - 1] != '\0'
+ || ({for (cnt = 0; cnt < hst_resp->h_aliases_cnt; ++cnt)
+ if (resultbuf->h_aliases[cnt][aliases_len[cnt] - 1]
+ != '\0')
+ break;
+ cnt < hst_resp->h_aliases_cnt; }))
+ /* We cannot use the database. */
+ goto out_close;
+
retval = 0;
*result = resultbuf;
}
diff --git a/nscd/nscd_getpw_r.c b/nscd/nscd_getpw_r.c
index b04dcfaa99..fe5fb43ca1 100644
--- a/nscd/nscd_getpw_r.c
+++ b/nscd/nscd_getpw_r.c
@@ -66,14 +66,18 @@ __nscd_getpwuid_r (uid_t uid, struct passwd *resultbuf, char *buffer,
}
-libc_locked_map_ptr (map_handle);
+libc_locked_map_ptr (static, map_handle);
/* Note that we only free the structure if necessary. The memory
mapping is not removed since it is not visible to the malloc
handling. */
-libc_freeres_fn (gr_map_free)
+libc_freeres_fn (pw_map_free)
{
if (map_handle.mapped != NO_MAPPING)
- free (map_handle.mapped);
+ {
+ void *p = map_handle.mapped;
+ map_handle.mapped = NO_MAPPING;
+ free (p);
+ }
}
@@ -184,6 +188,18 @@ nscd_getpw_r (const char *key, size_t keylen, request_type type,
/* Copy the various strings. */
memcpy (resultbuf->pw_name, pw_name, total);
+ /* Try to detect corrupt databases. */
+ if (resultbuf->pw_name[pw_resp->pw_name_len - 1] != '\0'
+ || resultbuf->pw_passwd[pw_resp->pw_passwd_len - 1] != '\0'
+ || resultbuf->pw_gecos[pw_resp->pw_gecos_len - 1] != '\0'
+ || resultbuf->pw_dir[pw_resp->pw_dir_len - 1] != '\0'
+ || resultbuf->pw_shell[pw_resp->pw_shell_len - 1] != '\0')
+ {
+ /* We cannot use the database. */
+ retval = -1;
+ goto out_close;
+ }
+
*result = resultbuf;
}
}