glibc/nss/bug17079.c

245 lines
7.1 KiB
C
Raw Normal View History

/* Test for bug 17079: heap overflow in NSS with small buffers.
Copyright (C) 2015 Free Software Foundation, Inc.
2015-09-22 11:20:18 +00:00
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <errno.h>
#include <pwd.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* Check if two passwd structs contain the same data. */
static bool
equal (const struct passwd *a, const struct passwd *b)
{
return strcmp (a->pw_name, b->pw_name) == 0
&& strcmp (a->pw_passwd, b->pw_passwd) == 0
&& a->pw_uid == b->pw_uid
&& a->pw_gid == b->pw_gid
&& strcmp (a->pw_gecos, b->pw_gecos) == 0
&& strcmp (a->pw_dir, b->pw_dir) == 0
&& strcmp (a->pw_shell, b->pw_shell) == 0;
}
enum { MAX_TEST_ITEMS = 10 };
static struct passwd test_items[MAX_TEST_ITEMS];
static int test_count;
/* Initialize test_items and test_count above, with data from the
passwd database. */
static bool
init_test_items (void)
{
setpwent ();
do
{
struct passwd *pwd = getpwent ();
if (pwd == NULL)
break;
struct passwd *target = test_items + test_count;
target->pw_name = strdup (pwd->pw_name);
target->pw_passwd = strdup (pwd->pw_passwd);
target->pw_uid = pwd->pw_uid;
target->pw_gid = pwd->pw_gid;
target->pw_gecos = strdup (pwd->pw_gecos);
target->pw_dir = strdup (pwd->pw_dir);
target->pw_shell = strdup (pwd->pw_shell);
}
while (++test_count < MAX_TEST_ITEMS);
endpwent ();
/* Filter out those test items which cannot be looked up by name or
UID. */
bool found = false;
for (int i = 0; i < test_count; ++i)
{
struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
if (pwd1 == NULL || !equal (pwd1, test_items + i)
|| pwd2 == NULL || !equal (pwd2, test_items + i))
{
printf ("info: skipping user \"%s\", UID %ld due to inconsistency\n",
test_items[i].pw_name, (long) test_items[i].pw_uid);
test_items[i].pw_name = NULL;
}
2015-09-22 11:20:18 +00:00
else
found = true;
}
if (!found)
puts ("error: no accounts found which can be looked up by name and UID.");
return found;
}
/* Set to true if an error is encountered. */
static bool errors;
/* Return true if the padding has not been tampered with. */
static bool
check_padding (char *buffer, size_t size, char pad)
{
char *end = buffer + size;
while (buffer < end)
{
if (*buffer != pad)
return false;
++buffer;
}
return true;
}
/* Test one buffer size and padding combination. */
static void
test_one (const struct passwd *item, size_t buffer_size,
char pad, size_t padding_size)
{
char *buffer = malloc (buffer_size + padding_size);
if (buffer == NULL)
{
puts ("error: malloc failure");
errors = true;
return;
}
struct passwd pwd;
struct passwd *result;
int ret;
/* Test getpwname_r. */
memset (buffer, pad, buffer_size + padding_size);
pwd = (struct passwd) {};
ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
if (!check_padding (buffer + buffer_size, padding_size, pad))
{
printf ("error: padding change: "
"name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
item->pw_name, buffer_size, padding_size, (unsigned char) pad);
errors = true;
}
if (ret == 0)
{
if (result == NULL)
{
printf ("error: no data: name \"%s\", buffer size %zu\n",
item->pw_name, buffer_size);
errors = true;
}
else if (!equal (item, result))
{
printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
item->pw_name, buffer_size);
errors = true;
}
}
else if (ret != ERANGE)
{
errno = ret;
printf ("error: lookup failure for name \"%s\": %m (%d)\n",
item->pw_name, ret);
errors = true;
}
/* Test getpwuid_r. */
memset (buffer, pad, buffer_size + padding_size);
pwd = (struct passwd) {};
ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
if (!check_padding (buffer + buffer_size, padding_size, pad))
{
printf ("error: padding change: "
"UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
(long) item->pw_uid, buffer_size, padding_size,
(unsigned char) pad);
errors = true;
}
if (ret == 0)
{
if (result == NULL)
{
printf ("error: no data: UID %ld, buffer size %zu\n",
(long) item->pw_uid, buffer_size);
errors = true;
}
else if (!equal (item, result))
{
printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
(long) item->pw_uid, buffer_size);
errors = true;
}
}
else if (ret != ERANGE)
{
errno = ret;
printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
(long) item->pw_uid, ret);
errors = true;
}
free (buffer);
}
/* Test one buffer size with different paddings. */
static void
test_buffer_size (size_t buffer_size)
{
for (int i = 0; i < test_count; ++i)
for (size_t padding_size = 0; padding_size < 3; ++padding_size)
{
/* Skip entries with inconsistent name/UID lookups. */
if (test_items[i].pw_name == NULL)
continue;
2015-09-22 11:20:18 +00:00
test_one (test_items + i, buffer_size, '\0', padding_size);
if (padding_size > 0)
{
test_one (test_items + i, buffer_size, ':', padding_size);
test_one (test_items + i, buffer_size, '\n', padding_size);
test_one (test_items + i, buffer_size, '\xff', padding_size);
test_one (test_items + i, buffer_size, '@', padding_size);
}
}
}
int
do_test (void)
{
if (!init_test_items ())
return 1;
printf ("info: %d test items\n", test_count);
for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
test_buffer_size (buffer_size);
for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
test_buffer_size (buffer_size);
test_buffer_size (255);
test_buffer_size (257);
for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
test_buffer_size (buffer_size);
test_buffer_size (511);
test_buffer_size (513);
test_buffer_size (1024);
test_buffer_size (2048);
if (errors)
return 1;
else
return 0;
}
#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"