This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nis/17913] New: NIS+ Stack allocation

From: "max at cxib dot net" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 01 Feb 2015 20:14:13 +0000
Subject: [Bug nis/17913] New: NIS+ Stack allocation
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=17913

            Bug ID: 17913
           Summary: NIS+ Stack allocation
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nis
          Assignee: unassigned at sourceware dot org
          Reporter: max at cxib dot net
                CC: kukuk at suse dot de

Reference: 
https://sourceware.org/bugzilla/show_bug.cgi?id=17897

Hi,

I've compared a _nss_nisplus_getservbyname_r() and _nss_nis_getservbyport_r()
and in NIS+ implementation, there is no limit for stack allocation like in NIS
implementation.


NIS 
-------------------------------------
enum nss_status
_nss_nis_getservbyport_r (int port, const char *protocol,
              struct servent *serv, char *buffer,
              size_t buflen, int *errnop)
{
  char *domain;
  if (__glibc_unlikely (yp_get_default_domain (&domain)))
    return NSS_STATUS_UNAVAIL;

  /* If the protocol is given, we only need one query.
     Otherwise try first port/tcp, then port/udp and then fallback
     to sequential scanning of services.byname.  */
  const char *proto = protocol != NULL ? protocol : "tcp";
  /* Limit protocol name length to the maximum size of an RPC packet.  */
  if (strlen (proto) > UDPMSGSIZE)  
<============================================
    {
      *errnop = ERANGE;
      return NSS_STATUS_UNAVAIL;
    }

  do
    {
      /* key is: "port/proto" */
      char key[sizeof (int) * 3 + strlen (proto) + 2];   <================ OK
      size_t keylen = snprintf (key, sizeof (key), "%d/%s", ntohs (port),
                proto);

-------------------------------------


NIS+
-------------------------------------
enum nss_status
_nss_nisplus_getservbyname_r (const char *name, const char *protocol,
                  struct servent *serv,
                  char *buffer, size_t buflen, int *errnop)
{
  if (tablename_val == NULL)
    {
      __libc_lock_lock (lock);

      enum nss_status status = _nss_create_tablename (errnop);

      __libc_lock_unlock (lock);

      if (status != NSS_STATUS_SUCCESS)
    return status;
    }

  if (name == NULL || protocol == NULL)
    {
      *errnop = EINVAL;
      return NSS_STATUS_NOTFOUND;
    }

  size_t protocol_len = strlen (protocol);
  char buf[strlen (name) + protocol_len + 17 + tablename_len]; <======= NOK
  int olderr = errno;
-------------------------------------

in one case, is checking the length, and the second is not.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug nis/17913] NIS+ getservbyname() Stack allocation
  - From: max at cxib dot net
- [Bug nis/17913] NIS+ getservbyname() Stack allocation
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]