From patchwork Mon May 12 07:58:50 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 873
Return-Path: <x14307373@homiemail-mx22.g.dreamhost.com>
X-Original-To: siddhesh@wilcox.dreamhost.com
Delivered-To: siddhesh@wilcox.dreamhost.com
Received: from homiemail-mx22.g.dreamhost.com
	(mx2.sub5.homie.mail.dreamhost.com [208.113.200.128])
	by wilcox.dreamhost.com (Postfix) with ESMTP id E0DDC3600B4
	for <siddhesh@wilcox.dreamhost.com>;
	Mon, 12 May 2014 00:58:59 -0700 (PDT)
Received: by homiemail-mx22.g.dreamhost.com (Postfix, from userid 14307373)
	id 796A854F5CA0; Mon, 12 May 2014 00:58:59 -0700 (PDT)
X-Original-To: glibc@patchwork.siddhesh.in
Delivered-To: x14307373@homiemail-mx22.g.dreamhost.com
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by homiemail-mx22.g.dreamhost.com (Postfix) with ESMTPS id
	443B954F5CA6 for <glibc@patchwork.siddhesh.in>;
	Mon, 12 May 2014 00:58:59 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type; q=dns; s=default; b=D0L4UozdRSDW94rCXldHxVVof5zRr
	E8q+VXHXNwhp+xZZDFQlsTDzd1aT7nt/aI4+YdI08OM6fm7NngA4lgS/6E0TJf1w
	pP5+Q/o1/jfWYtLS2yLr3hHQvw5zEFIEx3o+9oizeYoWfUZjnXfWNTUpGAtUqVBk
	sReu5jMQMqfJMo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type; s=default; bh=ydkPd6dhsN0dmnD2sQ4khfpUy84=; b=ZYj
	QSJLsbeT3ISAlh51hhob7h1Vob1SFmTzqzIjRomap7mVVM6AV6M+AaCicBzG6PGb
	XU5X+v86AYvQ4W89gYkOoee5Ec4YxCFlDylfMs3NioVsw6Wpt6tJdvHDA0n0ierZ
	Eh5iJKBx/+qhl02p7Flv8P7hZm7D7rRAd00yaRYg=
Received: (qmail 5856 invoked by alias); 12 May 2014 07:58:55 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-glibc=patchwork.siddhesh.in@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 5844 invoked by uid 89); 12 May 2014 07:58:54 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx2.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Fix unbound stack use in NIS NSS module
X-Yow: YOW!!  I am having FUN!!
Date: Mon, 12 May 2014 09:58:50 +0200
Message-ID: <mvmegzzxwat.fsf@hawking.suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
X-DH-Original-To: glibc@patchwork.siddhesh.in

yp_match needs to put its request in a single RPC packet, so don't
bother trying to support big items.

Andreas.

	[BZ #16932]
	* nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
	(_nss_nis_gethostbyname4_r): Return error if item length is larger
	than maximum RPC packet size.
	* nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
	* nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
	* nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
	(_nss_nis_getservbyport_r): Likewise.
---
 nis/nss_nis/nis-hosts.c      | 14 ++++++++++++++
 nis/nss_nis/nis-initgroups.c |  7 +++++++
 nis/nss_nis/nis-network.c    |  7 +++++++
 nis/nss_nis/nis-service.c    | 14 ++++++++++++++
 4 files changed, 42 insertions(+)

diff --git a/nis/nss_nis/nis-hosts.c b/nis/nss_nis/nis-hosts.c
index 462176e..d6192b1 100644
--- a/nis/nss_nis/nis-hosts.c
+++ b/nis/nss_nis/nis-hosts.c
@@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *name, int af, struct hostent *host,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 
@@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 
diff --git a/nis/nss_nis/nis-initgroups.c b/nis/nss_nis/nis-initgroups.c
index e8fcca1..9542fae 100644
--- a/nis/nss_nis/nis-initgroups.c
+++ b/nis/nss_nis/nis-initgroups.c
@@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group, long int *start, long int *size,
 		  gid_t **groupsp, long int limit, int *errnop,
 		  const char *domainname)
 {
+  /* Limit domainname length to the maximum size of an RPC packet.  */
+  if (strlen (domainname) > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   /* Prepare the key.  The form is "unix.UID@DOMAIN" with the UID and
      DOMAIN field filled in appropriately.  */
   char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];
diff --git a/nis/nss_nis/nis-network.c b/nis/nss_nis/nis-network.c
index f28fbda..f1b72bc 100644
--- a/nis/nss_nis/nis-network.c
+++ b/nis/nss_nis/nis-network.c
@@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *name, struct netent *net, char *buffer,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 
diff --git a/nis/nss_nis/nis-service.c b/nis/nss_nis/nis-service.c
index f9b4a86..44e4e13 100644
--- a/nis/nss_nis/nis-service.c
+++ b/nis/nss_nis/nis-service.c
@@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *name, const char *protocol,
   /* If the protocol is given, we could try if our NIS server knows
      about services.byservicename map. If yes, we only need one query.  */
   size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
+  /* Limit key length to the maximum size of an RPC packet.  */
+  if (keylen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char key[keylen + 1];
 
   /* key is: "name/proto" */
@@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, const char *protocol,
      Otherwise try first port/tcp, then port/udp and then fallback
      to sequential scanning of services.byname.  */
   const char *proto = protocol != NULL ? protocol : "tcp";
+  /* Limit protocol name length to the maximum size of an RPC packet.  */
+  if (strlen (proto) > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   do
     {
       /* key is: "port/proto" */