public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug nis/17913] New: NIS+ Stack allocation
@ 2015-02-01 20:14 max at cxib dot net
2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17913
Bug ID: 17913
Summary: NIS+ Stack allocation
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: nis
Assignee: unassigned at sourceware dot org
Reporter: max at cxib dot net
CC: kukuk at suse dot de
Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=17897
Hi,
I've compared a _nss_nisplus_getservbyname_r() and _nss_nis_getservbyport_r()
and in NIS+ implementation, there is no limit for stack allocation like in NIS
implementation.
NIS
-------------------------------------
enum nss_status
_nss_nis_getservbyport_r (int port, const char *protocol,
struct servent *serv, char *buffer,
size_t buflen, int *errnop)
{
char *domain;
if (__glibc_unlikely (yp_get_default_domain (&domain)))
return NSS_STATUS_UNAVAIL;
/* If the protocol is given, we only need one query.
Otherwise try first port/tcp, then port/udp and then fallback
to sequential scanning of services.byname. */
const char *proto = protocol != NULL ? protocol : "tcp";
/* Limit protocol name length to the maximum size of an RPC packet. */
if (strlen (proto) > UDPMSGSIZE)
<============================================
{
*errnop = ERANGE;
return NSS_STATUS_UNAVAIL;
}
do
{
/* key is: "port/proto" */
char key[sizeof (int) * 3 + strlen (proto) + 2]; <================ OK
size_t keylen = snprintf (key, sizeof (key), "%d/%s", ntohs (port),
proto);
-------------------------------------
NIS+
-------------------------------------
enum nss_status
_nss_nisplus_getservbyname_r (const char *name, const char *protocol,
struct servent *serv,
char *buffer, size_t buflen, int *errnop)
{
if (tablename_val == NULL)
{
__libc_lock_lock (lock);
enum nss_status status = _nss_create_tablename (errnop);
__libc_lock_unlock (lock);
if (status != NSS_STATUS_SUCCESS)
return status;
}
if (name == NULL || protocol == NULL)
{
*errnop = EINVAL;
return NSS_STATUS_NOTFOUND;
}
size_t protocol_len = strlen (protocol);
char buf[strlen (name) + protocol_len + 17 + tablename_len]; <======= NOK
int olderr = errno;
-------------------------------------
in one case, is checking the length, and the second is not.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net @ 2015-02-01 20:14 ` max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: max at cxib dot net @ 2015-02-01 20:14 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Max <max at cxib dot net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |max at cxib dot net Summary|NIS+ Stack allocation |NIS+ getservbyname() Stack | |allocation -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net @ 2015-02-18 13:32 ` fweimer at redhat dot com 2015-08-24 3:41 ` ppluzhnikov at google dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2015-02-18 13:32 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security? -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com @ 2015-08-24 3:41 ` ppluzhnikov at google dot com 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: ppluzhnikov at google dot com @ 2015-08-24 3:41 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 Paul Pluzhnikov <ppluzhnikov at google dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ppluzhnikov at google dot com Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net ` (2 preceding siblings ...) 2015-08-24 3:41 ` ppluzhnikov at google dot com @ 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: ppluzhnikov at google dot com @ 2015-08-24 3:55 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 --- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> --- The _nss_nis_getservbyport_r() checking was added in commit 315eb1d8 for PR 16932: 2014-05-12 Andreas Schwab <schwab@suse.de> [BZ #16932] * nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r) (_nss_nis_gethostbyname4_r): Return error if item length is larger than maximum RPC packet size. * nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise. * nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise. * nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r) (_nss_nis_getservbyport_r): Likewise. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nis/17913] NIS+ getservbyname() Stack allocation 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net ` (3 preceding siblings ...) 2015-08-24 3:55 ` ppluzhnikov at google dot com @ 2015-08-24 9:24 ` max at cxib dot net 4 siblings, 0 replies; 6+ messages in thread From: max at cxib dot net @ 2015-08-24 9:24 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=17913 --- Comment #2 from Max <max at cxib dot net> --- Yes. Anyway we have to add limit to NIS+ https://gitlab.com/bminor/glibc/blob/315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c/nis/nss_nisplus/nisplus-service.c -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-08-24 9:24 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-02-01 20:14 [Bug nis/17913] New: NIS+ Stack allocation max at cxib dot net 2015-02-01 20:14 ` [Bug nis/17913] NIS+ getservbyname() " max at cxib dot net 2015-02-18 13:32 ` fweimer at redhat dot com 2015-08-24 3:41 ` ppluzhnikov at google dot com 2015-08-24 3:55 ` ppluzhnikov at google dot com 2015-08-24 9:24 ` max at cxib dot net
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).