BZ#14498: fix infinite loop in nss_db_getservbyname

nss_db uses nss_files code for services, but a continue on protocol mismatch that doesn't affect nss_files skipped the code that advanced to the next db entry. Any one of these changes would suffice to fix it, but fixing both makes them both safer to reuse elsewhere. for ChangeLog [BZ #14498] * NEWS: Fixed. * nss/nss_db/db-XXX.c (_nss_db_get##name##_r): Update hidx after parsing line but before break_if_match. * nss/nss_files/files-service (DB_LOOKUP): Don't "continue;" if there is a protocol mismatch.
2024-11-24 14:00:30 +00:00 · 2014-11-21 03:29:56 -02:00 · 2014-11-21 03:29:56 -02:00 · 4969890247
commit 4969890247
parent 8195921486
4 changed files with 24 additions and 9 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2014-11-21  Alexandre Oliva <aoliva@redhat.com>
+
+	[BZ #14498]
+	* NEWS: Fixed.
+	* nss/nss_db/db-XXX.c (_nss_db_get##name##_r): Update hidx
+	after parsing line but before break_if_match.
+	* nss/nss_files/files-service (DB_LOOKUP): Don't "continue;"
+	if there is a protocol mismatch.
+
 2014-11-21  Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>

 	* manual/sysinfo.texi (addmntent): It is actually MT-Safe,
--- a/8
+++ b/8
@ -9,10 +9,10 @@ Version 2.21

 * The following bugs are resolved with this release:

-  6652, 12926, 14132, 14138, 14171, 15215, 15884, 17266, 17344, 17363,
-  17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508, 17522,
-  17555, 17570, 17571, 17572, 17573, 17574, 17582, 17583, 17584, 17585,
-  17589, 17594, 17616, 17625.
+  6652, 12926, 14132, 14138, 14171, 14498, 15215, 15884, 17266, 17344,
+  17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508,
+  17522, 17555, 17570, 17571, 17572, 17573, 17574, 17582, 17583, 17584,
+  17585, 17589, 17594, 17616, 17625.

 * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
  under certain input conditions resulting in the execution of a shell for
--- a/nss/nss_db/db-XXX.c
+++ b/nss/nss_db/db-XXX.c
@ -191,6 +191,12 @@ enum nss_status								      \
      char *p = memcpy (buffer, valstr, len);				      \
 									      \
      int err = parse_line (p, result, data, buflen, errnop EXTRA_ARGS);      \
+									      \
+      /* Advance before break_if_match, lest it uses continue to skip
+	 to the next entry.  */						      \
+      if ((hidx += hval2) >= header->dbs[i].hashsize)			      \
+	hidx -= header->dbs[i].hashsize;				      \
+									      \
      if (err > 0)							      \
 	{								      \
 	  status = NSS_STATUS_SUCCESS;					      \
@ -203,9 +209,6 @@ enum nss_status								      \
 	  status = NSS_STATUS_TRYAGAIN;					      \
 	  break;							      \
 	}								      \
-									      \
-      if ((hidx += hval2) >= header->dbs[i].hashsize)			      \
-	hidx -= header->dbs[i].hashsize;				      \
    }									      \
 									      \
  if (status == NSS_STATUS_NOTFOUND)					      \
--- a/nss/nss_files/files-service.c
+++ b/nss/nss_files/files-service.c
@ -44,8 +44,11 @@ DB_LOOKUP (servbyname, ':',
 	   {
 	     /* Must match both protocol (if specified) and name.  */
 	     if (proto != NULL && strcmp (result->s_proto, proto))
-	       continue;
-	     LOOKUP_NAME (s_name, s_aliases)
+	       /* A continue statement here breaks nss_db, because it
+		bypasses advancing to the next db entry, and it
+		doesn't make nss_files any more efficient.  */;
+	     else
+	       LOOKUP_NAME (s_name, s_aliases)
 	   },
 	   const char *name, const char *proto)