The netgroups file parsing code tries to access the character before
the newline in parsed lines to see if it is a backslash (\). This
results in an access before the block allocated for the line if the
line is blank, i.e. does not have anything other than the newline
character. This doesn't seem like it will cause any crashes because
the byte belongs to the malloc metadata block and hence access to it
will always succeed.
There could be an invalid alteration in code flow where a blank line
is seen as a continuation due to the preceding byte *happening* to be
'\\'. This could be done by interposing malloc, but that's not really
a security problem since one could interpose getnetgrent_r itself and
achieve a similar 'exploit'.
The possibility of actually exploiting this is remote to impossible
since it also requires the previous line to end with a '\\', which
would happen only on invalid configurations.
AF_INET lookup in hosts file uses _nss_files_gethostbyname2_r, which
is not capable of returning a canonical name if it has found one.
This change adds _nss_files_gethostbyname3_r, which wraps around
_nss_files_gethostbyname2_r and then returns result.h_name as the
canonical name.
Currently for AF_INET lookups from the hosts file, buffer sizes larger
than INT_MAX silently overflow and may result in access beyond bounds
of a buffer. This happens when the number of results in an AF_INET
lookup in /etc/hosts are very large.
There are two aspects to the problem. One problem is that the size
computed from the buffer size is stored into an int, which results in
overflow for large sizes. Additionally, even if this size was
expanded, the function used to read content into the buffer (fgets)
accepts only int sizes. As a result, the fix is to have a function
wrap around fgets that calls it multiple times with int sizes if
necessary.
nscd can clear caches when certain files change. The list of files
was hardcoded so far and worked for nss_files and nss_dns and those
modules which need no monitoring. nss_db, for instance, has its
own set of files to monitor. Now the NSS modules themselves can
request that certain files are monitored.
No longer is Berkeley db used. Instead a simple hash function is used.
The database files are not updated once they are created and therefore
no complicated database is needed.
I changed the files NSS backend for networks because I thought the
getent use of getnetbyaddr is correct. But it isn't. Undo parts
of the last change and fix getent.
There were two problems in the getnetbyaddr implementation. The type
argument is pretty much useless since (almost) no input file contains
this information and the NSS backends make up the value they fill in
for the n_addrtype field. Therefore we now declare that passing AF_UNSPEC
is always recognized. Secondly, the files backend didn't compare the network
numbers with the correct endianess.
Also change getent to take advantage of the type parameter change.
prototypes.
* include/arpa/nameser_compat.h: Define T_UNSPEC.
* nis/Versions (libnss_nis): Export _nss_nis_gethostbyname4_r.
(libnss_nisplus): Export _nss_nisplus_gethostbyname4_r.
* nis/nss_nis/nis-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_nis_gethostbyname4_r): New function.
* nis/nss_nisplus/nisplus-hosts.c (_nss_nisplus_parse_hostent):
Change to also handle af==AF_UNSPEC.
(get_tablename): New function. Use it to avoid duplication.
(_nss_nisplus_gethostbyname4_r): New function.
* nscd/aicache.c (addhstaiX): Use gethostbyname4_r function is
available.
* nss/Versions (libnss_files): Export _nss_files_gethostbyname4_r.
* nss/nss.h: Define struct gaih_addrtuple.
* nss/nss_files/files-hosts.c (LINE_PARSER): Change to also handle
af==AF_UNSPEC.
(_nss_files_gethostbyname4_r): New function.
* resolv/Versions (libnss_dns): Export _nss_dns_gethostbyname4_r.
* resolv/gethnmaddr.c: Adjust __libc_res_nsearch and __libc_res_nquery
calls.
* resolv/res_query.c (__libc_res_nquery): Take two additional
parameters for second answer buffer. Handle type=T_UNSPEC to mean
look up IPv4 and IPv6.
Change all callers.
* resolv/res_send.c (__libc_res_nsend): Take five aditional parameters
for an additional query and answer buffer. Pass to send_vc and
send_dg.
(send_vc): Send possibly two requests and receive two answers.
(send_dg): Likewise.
* resolv/nss_dns/dns-host.c: Adjust calls to __libc_res_nsearch and
__libc_res_nquery.
(_nss_dns_gethostbyname4_r): New function.
(gaih_getanswer_slice): Likewise.
(gaih_getanswer): Likewise.
* resolv/nss_dns/dns-canon.c (_nss_dns_getcanonname_r): Adjust
__libc_res_nquery call.
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyaddr_r): Likewise.
(_nss_dns_getnetbyname_r): Adjust __libc_res_nsearch call.
* sysdeps/posix/getaddrinfo.c: Use gethostbyname4_r function is
available.
call.
(__nisfind_server): Similar for open readColdStartFile call.
Patch partially by Jim Meyering.
* nss/nss_files/files-XXX.c (_nss_files_getXXent_r): Save errno
around internal_setent call.
void **.
* nss/nsswitch.h (service_user): Use void * type for KNOWN field.
* nss/nss_files/files-hosts.c (LINE_PARSER): Cast host_addr to
char * to avoid warning.
* nis/nss_nis/nis-hosts.c (LINE_PARSER): Likewise.
* timezone/Makefile (CFLAGS-zdump.c): Add -fwrapv.
* locale/programs/ld-ctype.c (ctype_finish, set_class_defaults,
allocate_arrays): Cast second argument to charmap_find_symbol
to char * to avoid warnings.
* locale/programs/repertoire.c (repertoire_new_char): Change
from_nr, to_nr and cnt to unsigned long, adjust printf format
string.
* locale/programs/ld-collate.c (insert_value, handle_ellipsis):
Cast second argument to new_element to char * to avoid warnings.
* locale/weightwc.h (findidx): Cast &extra[-i] to const int32_t *.
* intl/gettextP.h (struct loaded_domain): Change plural to const
struct expression *.
* intl/plural-eval.c (plural_eval): Change first argument to
const struct expression *.
* intl/plural-exp.c (EXTRACT_PLURAL_EXPRESSION): Change first
argument to const struct expression **.
* intl/plural-exp.h (EXTRACT_PLURAL_EXPRESSION, plural_eval): Adjust
prototypes.
* intl/loadmsgcat (_nl_unload_domain): Cast away const
in call to __gettext_free_exp.
* posix/fnmatch.c (fnmatch): Rearrange code to avoid maybe
unitialized wstring/wpattern var warnings.
* posix/runtests.c (struct a_test): Make data field const char *.
* stdio-common/tst-sprintf2.c (main): Don't declere u, v and buf
vars if not LDBL_MANT_DIG >= 106.
* stdio-common/Makefile (CFLAGS-vfwprintf.c): Add -Wno-unitialized.
* stdio-common/vfprintf.c (vfprintf): Cast first arugment to
__find_specmb to avoid warning.
* rt/tst-mqueue1.c (do_one_test): Add casts to avoid warnings.
* debug/test-strcpy_chk.c (do_tests, do_random_tests): Add casts
to avoid warnings.
* sysdeps/ieee754/ldbl-96/s_roundl.c (huge): Add L suffix to
initializer.
* sysdeps/unix/clock_gettime.c (clock_gettime): Only define
tv var when it will be actually used.
* sunrpc/rpc_cmsg.c (xdr_callmsg): Cast IXDR_PUT_* to void
to avoid warnings.
invalid length [Coverity CID 106].
* nss/nss_files/files-key.c (search): Close stream before
successful return [Coverity CID 107].
* io/fts.c (fts_open): Don't allocate parent if *argv==NULL
[Coverity CID 108].
* sunrpc/rpc_cout.c (inline_struct): Free sizestr after use
[Coverity CID 110, 109].
* sunrpc/rpc_scan.c (docppline): Free file string if it is not
going to be used [Coverity CID 111].
* sysdeps/unix/sysv/linux/getsourcefilter.c (getsourcefilter): Free
memory if socket level value cannot be retrieved [Coverity CID 112].
* nis/nis_clone_dir.c (nis_clone_directory): Free all memory in
error case [Coverity CID 114].
* nis/nis_clone_res.c (nis_clone_result): Free all memory in the
error cases [Coverity CID 115].
* sunrpc/rpc_parse.c (get_definition): Free defp if tok ==
TOK_EOF [Coverity CID 116].
* sysdeps/unix/sysv/linux/setsourcefilter.c (setsourcefilter): Free
memory if socket level value cannot be retrieved [Coverity CID 117].
* elf/cache.c (save_cache): Initialize pad to avoid writing
uninitialized data to disk.
* elf/cache.c (save_cache): Free file_entries_new [Coverity CID 118].
* intl/finddomain.c (_nl_find_domain): Avoid strdup of expand
locale name, use strdupa. Remove free call [Coverity CID 119].
* sunrpc/rpc_main.c (generate_guard): Avoid extra allocation and
the resulting leak [Coverity CID 121].
* sunrpc/rpc_main.c (mkfile_output): Free all allocated memory
[Coverity CID 122].
* sunrpc/rpc_main.c (h_output): Free guard after we are done
[Coverity CID 123].
* sunrpc/svc_udp.c (cache_set): Free victim if newbuf allocation
fails [Coverity CID 126].
* sunrpc/svc_udp.c (svcudp_enablecache): Free memory in error
cases [Coverity CID 127].
* nis/nis_table.c (__create_ib_request): Free ibreq in case strdup
fails [Coverity CID 128].
* nis/nis_getservlist.c (nis_getservlist): Free all memory in case
of an error [Coverity CID 130, 129].
* nis/nis_print_group_entry.c (nis_print_group_entry): If
nis_lookup call failed, return. Free lookup result in error
cases [Coverity CID 131].
* nis/nis_removemember.c (nis_removemember): Free all memory in
error cases [Coverity CID 132].
* nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r):
Always free lookup result [Coverity CID 134].
* nis/nss_nisplus/nisplus-ethers.c (_nss_nisplus_gethostton_r):
Always free lookup result [Coverity CID 135].
* nis/nss_nisplus/nisplus-ethers.c (_nss_nisplus_getntohost_r):
Always free lookup result [Coverity CID 136].
* nis/nss_nisplus/nisplus-network.c (_nss_nisplus_getnetbyaddr_r):
Before retrying, free old result [Coverity CID 137].
* nis/nss_nisplus/nisplus-publickey.c (_nss_nisplus_netname2user):
Free res in case UID is zero [Coverity CID 138].
* nis/ypclnt.c (yp_update): Always free master string
[Coverity CID 140].
* nis/nis_creategroup.c (nis_creategroup): Free all memory in
error cases [Coverity CID 143, 142, 141].
* nis/nss_nis/nis-publickey.c (_nss_nis_getpublickey): Free result
if yp_match call succeeded [Coverity CID 155].
* nis/nss_nis/nis-publickey.c (_nss_nis_getsecretkey): Free string
allocated in yp_match at all times [Coverity CID 157, 156].
* nscd/nscd.c (write_pid): Close stream also if writing failed
[Coverity CID 165].
* nis/nis_table.c (nis_add_entry): Move test for NULL parameter
ahead of first use [Coverity CID 167].
* nis/nss_nis/nis-alias.c (_nss_nis_getaliasbyname_r): Move test
for NULL parameter ahead of first use [Coverity CID 168].
* intl/finddomain.c (_nl_find_domain): We never return NULL if we
found the locale [Coverity CID 169].
* inet/getnameinfo.c (getnameinfo): __getservbyport_r does not set
herrno [Coverity CID 178].
* nis/nis_checkpoint.c (nis_checkpoint): Don't access and returned
freed object [Coverity CID 182].
(setup): Remove FUNC_NAME and ALL arguments, assume they are always
"setnetgrent" and 1.
(endnetgrent_hook): New function.
(internal_endnetgrent): Use it.
(__internal_setnetgrent_reuse): Use it. Adjust setup caller.
If status is NSS_STATUS_SUCCESS, yet action is continue, call
endnetgrent hook.
(internal_getnetgrent_r): Use __nss_lookup_function rather than
setup. Recompute getfct pointer after successful
__internal_setnetgrent_reuse. Don't use __nss_next.
(innetgr): Use __nss_lookup_function instead of __nss_lookup.
Adjust setup caller.
* nss/nss_files/files-netgrp.c (_nss_files_endnetgrent): Always clear
data_size and cursor. Add libnss_files_hidden_proto and
libnss_files_hidden_def.
(_nss_files_setnetgrent): Call _nss_files_endnetgrent on failure.
* nis/nss_nis/nis-netgrp.c (internal_endnetgrent): Always clear
data_size and cursor.
(_nss_nis_setnetgrent): Don't call internal_endnetgrent.
(_nss_nis_getnetgrent_r): Remove result->cursor == NULL handling.
* nis/nss_nisplus/nisplus-netgrp.c (internal_endnetgrent): Always clear
data_size and position.
(_nss_nisplus_setnetgrent): Don't call internal_endnetgrent.
2005-09-09 Ulrich Drepper <drepper@redhat.com>
* nss/getent.c (netgroup_keys): Call endnetgrent.
(main): Call mtrace.
* nss/nss_files/files-netgrp.c (_nss_files_setnetgrent): We don't
need locking for the stream. Use feof_unlocked.
2005-09-09 Jakub Jelinek <jakub@redhat.com>
