mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-21 20:40:05 +00:00
Fix unbound stack use in NIS NSS module
This commit is contained in:
parent
91df99f7f2
commit
315eb1d86a
11
ChangeLog
11
ChangeLog
@ -1,3 +1,14 @@
|
||||
2014-05-12 Andreas Schwab <schwab@suse.de>
|
||||
|
||||
[BZ #16932]
|
||||
* nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
|
||||
(_nss_nis_gethostbyname4_r): Return error if item length is larger
|
||||
than maximum RPC packet size.
|
||||
* nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
|
||||
* nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
|
||||
* nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
|
||||
(_nss_nis_getservbyport_r): Likewise.
|
||||
|
||||
2014-05-12 Will Newton <will.newton@linaro.org>
|
||||
|
||||
* malloc/Makefile (tests): Add tst-mallopt.
|
||||
|
2
NEWS
2
NEWS
@ -16,7 +16,7 @@ Version 2.20
|
||||
16677, 16680, 16683, 16689, 16695, 16701, 16706, 16707, 16712, 16713,
|
||||
16714, 16731, 16739, 16740, 16743, 16754, 16758, 16759, 16760, 16770,
|
||||
16786, 16789, 16791, 16799, 16800, 16815, 16823, 16824, 16831, 16838,
|
||||
16854, 16876, 16877, 16885, 16888, 16890, 16912, 16916, 16922.
|
||||
16854, 16876, 16877, 16885, 16888, 16890, 16912, 16916, 16922, 16932.
|
||||
|
||||
* The minimum Linux kernel version that this version of the GNU C Library
|
||||
can be used with is 2.6.32.
|
||||
|
@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *name, int af, struct hostent *host,
|
||||
|
||||
/* Convert name to lowercase. */
|
||||
size_t namlen = strlen (name);
|
||||
/* Limit name length to the maximum size of an RPC packet. */
|
||||
if (namlen > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
char name2[namlen + 1];
|
||||
size_t i;
|
||||
|
||||
@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
|
||||
|
||||
/* Convert name to lowercase. */
|
||||
size_t namlen = strlen (name);
|
||||
/* Limit name length to the maximum size of an RPC packet. */
|
||||
if (namlen > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
char name2[namlen + 1];
|
||||
size_t i;
|
||||
|
||||
|
@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group, long int *start, long int *size,
|
||||
gid_t **groupsp, long int limit, int *errnop,
|
||||
const char *domainname)
|
||||
{
|
||||
/* Limit domainname length to the maximum size of an RPC packet. */
|
||||
if (strlen (domainname) > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
/* Prepare the key. The form is "unix.UID@DOMAIN" with the UID and
|
||||
DOMAIN field filled in appropriately. */
|
||||
char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];
|
||||
|
@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *name, struct netent *net, char *buffer,
|
||||
|
||||
/* Convert name to lowercase. */
|
||||
size_t namlen = strlen (name);
|
||||
/* Limit name length to the maximum size of an RPC packet. */
|
||||
if (namlen > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
char name2[namlen + 1];
|
||||
size_t i;
|
||||
|
||||
|
@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *name, const char *protocol,
|
||||
/* If the protocol is given, we could try if our NIS server knows
|
||||
about services.byservicename map. If yes, we only need one query. */
|
||||
size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
|
||||
/* Limit key length to the maximum size of an RPC packet. */
|
||||
if (keylen > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
char key[keylen + 1];
|
||||
|
||||
/* key is: "name/proto" */
|
||||
@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, const char *protocol,
|
||||
Otherwise try first port/tcp, then port/udp and then fallback
|
||||
to sequential scanning of services.byname. */
|
||||
const char *proto = protocol != NULL ? protocol : "tcp";
|
||||
/* Limit protocol name length to the maximum size of an RPC packet. */
|
||||
if (strlen (proto) > UDPMSGSIZE)
|
||||
{
|
||||
*errnop = ERANGE;
|
||||
return NSS_STATUS_UNAVAIL;
|
||||
}
|
||||
|
||||
do
|
||||
{
|
||||
/* key is: "port/proto" */
|
||||
|
Loading…
Reference in New Issue
Block a user