From 2f3bd411aefa9747f17740e9ab06676d51241098 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 27 Mar 2014 07:15:22 +0530 Subject: Fix nscd lookup for innetgr when netgroup has wildcards (BZ #16758) nscd works correctly when the request in innetgr is a wildcard, i.e. when one or more of host, user or domain parameters is NULL. However, it does not work when the the triplet in the netgroup definition has a wildcard. This is easy to reproduce for a triplet defined as follows: foonet (,foo,) Here, an innetgr call that looks like this: innetgr ("foonet", "foohost", "foo", NULL); should succeed and so should: innetgr ("foonet", NULL, "foo", "foodomain"); It does succeed with nscd disabled, but not with nscd enabled. This fix adds this additional check for all three parts of the triplet so that it gives the correct result. [BZ #16758] * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has blank values. (cherry picked from commit fbd6b5a4052316f7eb03c4617eebfaafc59dcc06) --- nscd/netgroupcache.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'nscd/netgroupcache.c') diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 084f74df2f..8c619eab31 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -562,15 +562,19 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, { bool success = true; - if (host != NULL) + /* For the host, user and domain in each triplet, we assume success + if the value is blank because that is how the wildcard entry to + match anything is stored in the netgroup cache. */ + if (host != NULL && *triplets != '\0') success = strcmp (host, triplets) == 0; triplets = (const char *) rawmemchr (triplets, '\0') + 1; - if (success && user != NULL) + if (success && user != NULL && *triplets != '\0') success = strcmp (user, triplets) == 0; triplets = (const char *) rawmemchr (triplets, '\0') + 1; - if (success && (domain == NULL || strcmp (domain, triplets) == 0)) + if (success && (domain == NULL || *triplets == '\0' + || strcmp (domain, triplets) == 0)) { dataset->resp.result = 1; break; -- cgit v1.2.3-70-g09d2 From b963026c07a304bcfcf56ad5ee9b4f0797c7d3df Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 27 Mar 2014 19:48:15 +0530 Subject: Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760) Calls to stpcpy from nscd netgroups code will have overlapping source and destination when all three values in the returned triplet are non-NULL and in the expected (host,user,domain) order. This is seen in valgrind as: ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48) ==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3181== by 0x12567A: addgetnetgrentX (string3.h:111) ==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665) ==3181== by 0x11114C: nscd_run_worker (connections.c:1338) ==3181== by 0x4E3C102: start_thread (pthread_create.c:309) ==3181== by 0x59B81AC: clone (clone.S:111) ==3181== Fix this by using memmove instead of stpcpy. (cherry picked from commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a) --- ChangeLog | 4 ++++ NEWS | 7 ++++--- nscd/netgroupcache.c | 16 ++++++++++------ 3 files changed, 18 insertions(+), 9 deletions(-) (limited to 'nscd/netgroupcache.c') diff --git a/ChangeLog b/ChangeLog index 896b564707..e82ba7d174 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ * inet/getnetgrent_r.c (get_nonempty_val): New function. (nscd_getnetgrent): Use it. + [BZ #16760] + * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead + of stpcpy. + 2015-11-24 Andreas Schwab [BZ #17062] diff --git a/NEWS b/NEWS index 6f295a201a..2972c4a5ea 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,10 @@ Version 2.19.1 * The following bugs are resolved with this release: - 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16878, - 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, - 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032, 18287. + 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, + 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, + 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032, + 18287. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 8c619eab31..c61d10b170 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -211,6 +211,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, const char *nuser = data.val.triple.user; const char *ndomain = data.val.triple.domain; + size_t hostlen = strlen (nhost ?: "") + 1; + size_t userlen = strlen (nuser ?: "") + 1; + size_t domainlen = strlen (ndomain ?: "") + 1; + if (nhost == NULL || nuser == NULL || ndomain == NULL || nhost > nuser || nuser > ndomain) { @@ -228,9 +232,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ - size_t hostlen = strlen (nhost ?: "") + 1; - size_t userlen = strlen (nuser ?: "") + 1; - size_t domainlen = strlen (ndomain ?: "") + 1; size_t needed = hostlen + userlen + domainlen; if (buflen - req->key_len - bufused < needed) @@ -264,9 +265,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } char *wp = buffer + buffilled; - wp = stpcpy (wp, nhost) + 1; - wp = stpcpy (wp, nuser) + 1; - wp = stpcpy (wp, ndomain) + 1; + wp = memmove (wp, nhost ?: "", hostlen); + wp += hostlen; + wp = memmove (wp, nuser ?: "", userlen); + wp += userlen; + wp = memmove (wp, ndomain ?: "", domainlen); + wp += domainlen; buffilled = wp - buffer; ++nentries; } -- cgit v1.2.3-70-g09d2