public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nis/17913] New: NIS+ Stack allocation
@ 2015-02-01 20:14 max at cxib dot net
2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
Bug ID: 17913
Summary: NIS+ Stack allocation
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: nis
Assignee: unassigned at sourceware dot org
Reporter: max at cxib dot net
CC: kukuk at suse dot de
Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=17897
Hi,
I've compared a _nss_nisplus_getservbyname_r() and _nss_nis_getservbyport_r()
and in NIS+ implementation, there is no limit for stack allocation like in NIS
implementation.
NIS
-------------------------------------
enum nss_status
_nss_nis_getservbyport_r (int port, const char *protocol,
struct servent *serv, char *buffer,
size_t buflen, int *errnop)
{
char *domain;
if (__glibc_unlikely (yp_get_default_domain (&domain)))
return NSS_STATUS_UNAVAIL;
/* If the protocol is given, we only need one query.
Otherwise try first port/tcp, then port/udp and then fallback
to sequential scanning of services.byname. */
const char *proto = protocol != NULL ? protocol : "tcp";
/* Limit protocol name length to the maximum size of an RPC packet. */
if (strlen (proto) > UDPMSGSIZE)
<============================================
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
do
{
/* key is: "port/proto" */
char key[sizeof (int) * 3 + strlen (proto) + 2]; <================ OK
size_t keylen = snprintf (key, sizeof (key), "%d/%s", ntohs (port),
proto);
-------------------------------------
NIS+
-------------------------------------
enum nss_status
_nss_nisplus_getservbyname_r (const char *name, const char *protocol,
struct servent *serv,
char *buffer, size_t buflen, int *errnop)
{
if (tablename_val == NULL)
{
__libc_lock_lock (lock);
enum nss_status status = _nss_create_tablename (errnop);
__libc_lock_unlock (lock);
if (status != NSS_STATUS_SUCCESS)
return status;
}
if (name == NULL || protocol == NULL)
{
*errnop = EINVAL;
return NSS_STATUS_NOTFOUND;
}
size_t protocol_len = strlen (protocol);
char buf[strlen (name) + protocol_len + 17 + tablename_len]; <======= NOK
int olderr = errno;
-------------------------------------
in one case, is checking the length, and the second is not.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
@ 2015-02-01 20:14 ` max at cxib dot net
2015-02-18 13:32 ` fweimer at redhat dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
Max <max at cxib dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |max at cxib dot net
Summary|NIS+ Stack allocation |NIS+ getservbyname() Stack
| |allocation
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net
@ 2015-02-18 13:32 ` fweimer at redhat dot com
2015-08-24 3:41 ` ppluzhnikov at google dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2015-02-18 13:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net
2015-02-18 13:32 ` fweimer at redhat dot com
@ 2015-08-24 3:41 ` ppluzhnikov at google dot com
2015-08-24 3:55 ` ppluzhnikov at google dot com
2015-08-24 9:24 ` max at cxib dot net
4 siblings, 0 replies; 6+ messages in thread
From: ppluzhnikov at google dot com @ 2015-08-24 3:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot com
Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
` (2 preceding siblings ...)
2015-08-24 3:41 ` ppluzhnikov at google dot com
@ 2015-08-24 3:55 ` ppluzhnikov at google dot com
2015-08-24 9:24 ` max at cxib dot net
4 siblings, 0 replies; 6+ messages in thread
From: ppluzhnikov at google dot com @ 2015-08-24 3:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
The _nss_nis_getservbyport_r() checking was added in commit 315eb1d8 for PR
16932:
2014-05-12 Andreas Schwab <schwab@suse.de>
[BZ #16932]
* nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
(_nss_nis_gethostbyname4_r): Return error if item length is larger
than maximum RPC packet size.
* nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
* nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
* nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
(_nss_nis_getservbyport_r): Likewise.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
` (3 preceding siblings ...)
2015-08-24 3:55 ` ppluzhnikov at google dot com
@ 2015-08-24 9:24 ` max at cxib dot net
4 siblings, 0 replies; 6+ messages in thread
From: max at cxib dot net @ 2015-08-24 9:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
--- Comment #2 from Max <max at cxib dot net> ---
Yes. Anyway we have to add limit to NIS+
https://gitlab.com/bminor/glibc/blob/315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c/nis/nss_nisplus/nisplus-service.c
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-08-24 9:24 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net
2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net
2015-02-18 13:32 ` fweimer at redhat dot com
2015-08-24 3:41 ` ppluzhnikov at google dot com
2015-08-24 3:55 ` ppluzhnikov at google dot com
2015-08-24 9:24 ` max at cxib dot net
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).