From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-7898-listarch-libc-hacker=sources.redhat.com@sources.redhat.com>
Received: (qmail 13849 invoked by alias); 11 Sep 2004 21:01:43 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 13819 invoked from network); 11 Sep 2004 21:01:41 -0000
Received: from unknown (HELO Cantor.suse.de) (195.135.220.2)
  by sourceware.org with SMTP; 11 Sep 2004 21:01:41 -0000
Received: from hermes.suse.de (hermes-ext.suse.de [195.135.221.8])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by Cantor.suse.de (Postfix) with ESMTP id 738C4BCDA2D
	for <libc-hacker@sources.redhat.com>; Sat, 11 Sep 2004 23:01:41 +0200 (CEST)
Date: Sat, 11 Sep 2004 21:01:00 -0000
From: Thorsten Kukuk <kukuk@suse.de>
To: libc-hacker@sources.redhat.com
Subject: [PATCH] check for buffer underrun in nss_compat
Message-ID: <20040911210141.GA6448@suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Organization: SuSE Linux AG, Nuernberg, Germany
User-Agent: Mutt/1.5.6i
X-SW-Source: 2004-09/txt/msg00049.txt.bz2


Hi,

After debugging one crash I found out that there is a case where
buflen is exact zero in nss_compat. Since we work with negative
offsets, this means reading the next line results in memory corruption.
In real life I only saw this with a test suite which uses buffers
of size 1.
Here is a patch to make sure that this will not happen:

2004-09-11  Thorsten Kukuk  <kukuk@suse.de>

	* nis/nss_compat/compat-grp.c: Check that buflen is greater zero
	before writing data into the buffer with negative offset.
	* nis/nss_compat/compat-initgroups.c: Likewise.
	* nis/nss_compat/compat-pwd.c: Likewise.
	* nis/nss_compat/compat-spwd.c Likewise.

--- nis/nss_compat/compat-grp.c	28 Jun 2003 07:58:41 -0000	1.28
+++ nis/nss_compat/compat-grp.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996,1997,1998,1999,2001,2002, 2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996.
 
@@ -253,6 +253,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -384,6 +389,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -511,6 +521,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-initgroups.c	19 Aug 2004 21:08:49 -0000	1.16
+++ nis/nss_compat/compat-initgroups.c	11 Sep 2004 20:53:05 -0000
@@ -327,6 +327,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-pwd.c	28 Jun 2003 07:59:28 -0000	1.33
+++ nis/nss_compat/compat-pwd.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
 
@@ -499,6 +499,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -694,6 +699,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -897,6 +907,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
--- nis/nss_compat/compat-spwd.c	2 Sep 2003 00:45:13 -0000	1.26
+++ nis/nss_compat/compat-spwd.c	11 Sep 2004 20:53:05 -0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996-1999,2001,2002,2003 Free Software Foundation, Inc.
+/* Copyright (C) 1996-1999,2001,2002,2003, 2004 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
 
@@ -451,6 +451,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);
@@ -645,6 +650,11 @@
 
       do
 	{
+	  if (buflen < 3) /* We need at least 3 characters for one line.  */
+	    {
+	      *errnop = ERANGE;
+	      return NSS_STATUS_TRYAGAIN;
+	    }
 	  fgetpos (ent->stream, &pos);
 	  buffer[buflen - 1] = '\xff';
 	  p = fgets_unlocked (buffer, buflen, ent->stream);


-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Maxfeldstr. 5                 D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B