Fix unbound stack use in NIS NSS module

This commit is contained in:
Andreas Schwab 2014-05-08 16:53:01 +02:00
parent 91df99f7f2
commit 315eb1d86a
6 changed files with 54 additions and 1 deletions

View File

@ -1,3 +1,14 @@
2014-05-12 Andreas Schwab <schwab@suse.de>
[BZ #16932]
* nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
(_nss_nis_gethostbyname4_r): Return error if item length is larger
than maximum RPC packet size.
* nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
* nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
* nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
(_nss_nis_getservbyport_r): Likewise.
2014-05-12 Will Newton <will.newton@linaro.org>
* malloc/Makefile (tests): Add tst-mallopt.

2
NEWS
View File

@ -16,7 +16,7 @@ Version 2.20
16677, 16680, 16683, 16689, 16695, 16701, 16706, 16707, 16712, 16713,
16714, 16731, 16739, 16740, 16743, 16754, 16758, 16759, 16760, 16770,
16786, 16789, 16791, 16799, 16800, 16815, 16823, 16824, 16831, 16838,
16854, 16876, 16877, 16885, 16888, 16890, 16912, 16916, 16922.
16854, 16876, 16877, 16885, 16888, 16890, 16912, 16916, 16922, 16932.
* The minimum Linux kernel version that this version of the GNU C Library
can be used with is 2.6.32.

View File

@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *name, int af, struct hostent *host,
/* Convert name to lowercase. */
size_t namlen = strlen (name);
/* Limit name length to the maximum size of an RPC packet. */
if (namlen > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
char name2[namlen + 1];
size_t i;
@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
/* Convert name to lowercase. */
size_t namlen = strlen (name);
/* Limit name length to the maximum size of an RPC packet. */
if (namlen > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
char name2[namlen + 1];
size_t i;

View File

@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group, long int *start, long int *size,
gid_t **groupsp, long int limit, int *errnop,
const char *domainname)
{
/* Limit domainname length to the maximum size of an RPC packet. */
if (strlen (domainname) > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
/* Prepare the key. The form is "unix.UID@DOMAIN" with the UID and
DOMAIN field filled in appropriately. */
char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];

View File

@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *name, struct netent *net, char *buffer,
/* Convert name to lowercase. */
size_t namlen = strlen (name);
/* Limit name length to the maximum size of an RPC packet. */
if (namlen > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
char name2[namlen + 1];
size_t i;

View File

@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *name, const char *protocol,
/* If the protocol is given, we could try if our NIS server knows
about services.byservicename map. If yes, we only need one query. */
size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
/* Limit key length to the maximum size of an RPC packet. */
if (keylen > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
char key[keylen + 1];
/* key is: "name/proto" */
@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, const char *protocol,
Otherwise try first port/tcp, then port/udp and then fallback
to sequential scanning of services.byname. */
const char *proto = protocol != NULL ? protocol : "tcp";
/* Limit protocol name length to the maximum size of an RPC packet. */
if (strlen (proto) > UDPMSGSIZE)
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
do
{
/* key is: "port/proto" */