public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug nis/17913] New: NIS+ Stack allocation @ 2015-02-01 20:14 max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net ` (4 more replies) 0 siblings, 5 replies; 6+ messages in thread From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Bug ID: 17913 Summary: NIS+ Stack allocation Product: glibc Version: 2.20 Status: NEW Severity: normal Priority: P2 Component: nis Assignee: unassigned at sourceware dot org Reporter: max at cxib dot net CC: kukuk at suse dot de Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=17897 Hi, I've compared a _nss_nisplus_getservbyname_r() and _nss_nis_getservbyport_r() and in NIS+ implementation, there is no limit for stack allocation like in NIS implementation. NIS ------------------------------------- enum nss_status _nss_nis_getservbyport_r (int port, const char *protocol, struct servent *serv, char *buffer, size_t buflen, int *errnop) { char *domain; if (__glibc_unlikely (yp_get_default_domain (&domain))) return NSS_STATUS_UNAVAIL; /* If the protocol is given, we only need one query. Otherwise try first port/tcp, then port/udp and then fallback to sequential scanning of services.byname. */ const char *proto = protocol != NULL ? protocol : "tcp"; /* Limit protocol name length to the maximum size of an RPC packet. */ if (strlen (proto) > UDPMSGSIZE) <============================================ { *errnop = ERANGE; return NSS_STATUS_UNAVAIL; } do { /* key is: "port/proto" */ char key[sizeof (int) * 3 + strlen (proto) + 2]; <================ OK size_t keylen = snprintf (key, sizeof (key), "%d/%s", ntohs (port), proto); ------------------------------------- NIS+ ------------------------------------- enum nss_status _nss_nisplus_getservbyname_r (const char *name, const char *protocol, struct servent *serv, char *buffer, size_t buflen, int *errnop) { if (tablename_val == NULL) { __libc_lock_lock (lock); enum nss_status status = _nss_create_tablename (errnop); __libc_lock_unlock (lock); if (status != NSS_STATUS_SUCCESS) return status; } if (name == NULL || protocol == NULL) { *errnop = EINVAL; return NSS_STATUS_NOTFOUND; } size_t protocol_len = strlen (protocol); char buf[strlen (name) + protocol_len + 17 + tablename_len]; <======= NOK int olderr = errno; ------------------------------------- in one case, is checking the length, and the second is not. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net @ 2015-02-01 20:14 ` max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Max <max at cxib dot net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |max at cxib dot net Summary|NIS+ Stack allocation |NIS+ getservbyname() Stack | |allocation -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net @ 2015-02-18 13:32 ` fweimer at redhat dot com 2015-08-24 3:41 ` ppluzhnikov at google dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2015-02-18 13:32 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security? -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com @ 2015-08-24 3:41 ` ppluzhnikov at google dot com 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: ppluzhnikov at google dot com @ 2015-08-24 3:41 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Paul Pluzhnikov <ppluzhnikov at google dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ppluzhnikov at google dot com Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net ` (2 preceding siblings ...) 2015-08-24 3:41 ` ppluzhnikov at google dot com @ 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: ppluzhnikov at google dot com @ 2015-08-24 3:55 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 --- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> --- The _nss_nis_getservbyport_r() checking was added in commit 315eb1d8 for PR 16932: 2014-05-12 Andreas Schwab <schwab@suse.de> [BZ #16932] * nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r) (_nss_nis_gethostbyname4_r): Return error if item length is larger than maximum RPC packet size. * nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise. * nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise. * nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r) (_nss_nis_getservbyport_r): Likewise. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net ` (3 preceding siblings ...) 2015-08-24 3:55 ` ppluzhnikov at google dot com @ 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: max at cxib dot net @ 2015-08-24 9:24 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 --- Comment #2 from Max <max at cxib dot net> --- Yes. Anyway we have to add limit to NIS+ https://gitlab.com/bminor/glibc/blob/315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c/nis/nss_nisplus/nisplus-service.c -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-08-24 9:24 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com 2015-08-24 3:41 ` ppluzhnikov at google dot com 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).