This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Fix unbound stack use in NIS NSS module

From: Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>
To: Andreas Schwab <schwab at suse dot de>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Mon, 12 May 2014 19:04:49 +0530
Subject: Re: [PATCH] Fix unbound stack use in NIS NSS module
Authentication-results: sourceware.org; auth=none
References: <mvmegzzxwat dot fsf at hawking dot suse dot de>

On 12 May 2014 13:28, Andreas Schwab <schwab@suse.de> wrote:
> yp_match needs to put its request in a single RPC packet, so don't
> bother trying to support big items.

Won't this apply to netgroups too?

Siddhesh

>
> Andreas.
>
>         [BZ #16932]
>         * nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
>         (_nss_nis_gethostbyname4_r): Return error if item length is larger
>         than maximum RPC packet size.
>         * nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
>         * nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
>         * nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
>         (_nss_nis_getservbyport_r): Likewise.
> ---
>  nis/nss_nis/nis-hosts.c      | 14 ++++++++++++++
>  nis/nss_nis/nis-initgroups.c |  7 +++++++
>  nis/nss_nis/nis-network.c    |  7 +++++++
>  nis/nss_nis/nis-service.c    | 14 ++++++++++++++
>  4 files changed, 42 insertions(+)
>
> diff --git a/nis/nss_nis/nis-hosts.c b/nis/nss_nis/nis-hosts.c
> index 462176e..d6192b1 100644
> --- a/nis/nss_nis/nis-hosts.c
> +++ b/nis/nss_nis/nis-hosts.c
> @@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *name, int af, struct hostent *host,
>
>    /* Convert name to lowercase.  */
>    size_t namlen = strlen (name);
> +  /* Limit name length to the maximum size of an RPC packet.  */
> +  if (namlen > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    char name2[namlen + 1];
>    size_t i;
>
> @@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
>
>    /* Convert name to lowercase.  */
>    size_t namlen = strlen (name);
> +  /* Limit name length to the maximum size of an RPC packet.  */
> +  if (namlen > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    char name2[namlen + 1];
>    size_t i;
>
> diff --git a/nis/nss_nis/nis-initgroups.c b/nis/nss_nis/nis-initgroups.c
> index e8fcca1..9542fae 100644
> --- a/nis/nss_nis/nis-initgroups.c
> +++ b/nis/nss_nis/nis-initgroups.c
> @@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group, long int *start, long int *size,
>                   gid_t **groupsp, long int limit, int *errnop,
>                   const char *domainname)
>  {
> +  /* Limit domainname length to the maximum size of an RPC packet.  */
> +  if (strlen (domainname) > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    /* Prepare the key.  The form is "unix.UID@DOMAIN" with the UID and
>       DOMAIN field filled in appropriately.  */
>    char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];
> diff --git a/nis/nss_nis/nis-network.c b/nis/nss_nis/nis-network.c
> index f28fbda..f1b72bc 100644
> --- a/nis/nss_nis/nis-network.c
> +++ b/nis/nss_nis/nis-network.c
> @@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *name, struct netent *net, char *buffer,
>
>    /* Convert name to lowercase.  */
>    size_t namlen = strlen (name);
> +  /* Limit name length to the maximum size of an RPC packet.  */
> +  if (namlen > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    char name2[namlen + 1];
>    size_t i;
>
> diff --git a/nis/nss_nis/nis-service.c b/nis/nss_nis/nis-service.c
> index f9b4a86..44e4e13 100644
> --- a/nis/nss_nis/nis-service.c
> +++ b/nis/nss_nis/nis-service.c
> @@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *name, const char *protocol,
>    /* If the protocol is given, we could try if our NIS server knows
>       about services.byservicename map. If yes, we only need one query.  */
>    size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
> +  /* Limit key length to the maximum size of an RPC packet.  */
> +  if (keylen > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    char key[keylen + 1];
>
>    /* key is: "name/proto" */
> @@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, const char *protocol,
>       Otherwise try first port/tcp, then port/udp and then fallback
>       to sequential scanning of services.byname.  */
>    const char *proto = protocol != NULL ? protocol : "tcp";
> +  /* Limit protocol name length to the maximum size of an RPC packet.  */
> +  if (strlen (proto) > UDPMSGSIZE)
> +    {
> +      *errnop = ERANGE;
> +      return NSS_STATUS_UNAVAIL;
> +    }
> +
>    do
>      {
>        /* key is: "port/proto" */
> --
> 1.9.2
>
> --
> Andreas Schwab, SUSE Labs, schwab@suse.de
> GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
> "And now for something completely different."



-- 
http://siddhesh.in

Follow-Ups:
- Re: [PATCH] Fix unbound stack use in NIS NSS module
  - From: Andreas Schwab

References:
- [PATCH] Fix unbound stack use in NIS NSS module
  - From: Andreas Schwab

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]