summaryrefslogtreecommitdiff
path: root/src/sss_client
diff options
context:
space:
mode:
authorMichal Zidek <mzidek@redhat.com>2013-08-05 20:59:33 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-08-11 20:36:21 +0200
commit9028706a00da1bc48547e74aa872c825ac15adb2 (patch)
treec1133d5686c5a8e6922920ca829c26dde7182561 /src/sss_client
parent86c985481c2fdb1d8996a77576b12bff431c18d5 (diff)
downloadsssd-9028706a00da1bc48547e74aa872c825ac15adb2.tar.gz
sssd-9028706a00da1bc48547e74aa872c825ac15adb2.tar.bz2
sssd-9028706a00da1bc48547e74aa872c825ac15adb2.zip
mmap_cache: Check if slot and name_ptr are not invalid.
This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
Diffstat (limited to 'src/sss_client')
-rw-r--r--src/sss_client/nss_mc_group.c8
-rw-r--r--src/sss_client/nss_mc_passwd.c8
2 files changed, 16 insertions, 0 deletions
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index b3e9a8a0..2d69be93 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -116,6 +116,10 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
}
while (slot != MC_INVALID_VAL) {
+ if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) {
+ /* This probably means that the memory cache was corrupted. */
+ return ENOENT;
+ }
ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec);
if (ret) {
@@ -180,6 +184,10 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
}
while (slot != MC_INVALID_VAL) {
+ if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) {
+ /* This probably means that the memory cache was corrupted. */
+ return ENOENT;
+ }
ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec);
if (ret) {
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index 4acc6425..fa21bd28 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -117,6 +117,10 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
}
while (slot != MC_INVALID_VAL) {
+ if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) {
+ /* This probably means that the memory cache was corrupted */
+ return ENOENT;
+ }
ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec);
if (ret) {
@@ -181,6 +185,10 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
}
while (slot != MC_INVALID_VAL) {
+ if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) {
+ /* This probably means that the memory cache was corrupted */
+ return ENOENT;
+ }
ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec);
if (ret) {