summaryrefslogtreecommitdiff
path: root/src/sss_client
diff options
context:
space:
mode:
authorMichal Zidek <mzidek@redhat.com>2013-08-12 19:29:56 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-08-19 20:51:03 +0200
commit8a5931bcc8e9034e4beb92fc9addf3f7fcf83fd6 (patch)
treeef04d4ef11b35aaf780a822ba04784e2c0970e03 /src/sss_client
parentc235f67280a84a5248457c110500fa3f0e11f755 (diff)
downloadsssd-8a5931bcc8e9034e4beb92fc9addf3f7fcf83fd6.tar.gz
sssd-8a5931bcc8e9034e4beb92fc9addf3f7fcf83fd6.tar.bz2
sssd-8a5931bcc8e9034e4beb92fc9addf3f7fcf83fd6.zip
mmap_cache: Check data->name value in client code
data->name value must be checked to prevent segfaults in case of corrupted memory cache. resolves: https://fedorahosted.org/sssd/ticket/2018
Diffstat (limited to 'src/sss_client')
-rw-r--r--src/sss_client/nss_mc_group.c18
-rw-r--r--src/sss_client/nss_mc_passwd.c19
2 files changed, 37 insertions, 0 deletions
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 2d69be93..da5da041 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -23,6 +23,7 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <stddef.h>
#include <sys/mman.h>
#include <time.h>
#include "nss_mc.h"
@@ -102,12 +103,17 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
uint32_t hash;
uint32_t slot;
int ret;
+ size_t strs_offset;
+ uint8_t *max_addr;
ret = sss_nss_mc_get_ctx("group", &gr_mc_ctx);
if (ret) {
return ret;
}
+ /* Get max address of data table. */
+ max_addr = gr_mc_ctx.data_table + gr_mc_ctx.dt_size;
+
/* hashes are calculated including the NULL terminator */
hash = sss_nss_mc_hash(&gr_mc_ctx, name, name_len + 1);
slot = gr_mc_ctx.hash_table[hash];
@@ -133,7 +139,19 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
continue;
}
+ strs_offset = offsetof(struct sss_mc_grp_data, strs);
data = (struct sss_mc_grp_data *)rec->data;
+ /* Integrity check
+ * - name_len cannot be longer than all strings
+ * - data->name cannot point outside strings
+ * - all strings must be within data_table */
+ if (name_len > data->strs_len
+ || (data->name + name_len) > (strs_offset + data->strs_len)
+ || (uint8_t *)data->strs + data->strs_len > max_addr) {
+ ret = ENOENT;
+ goto done;
+ }
+
rec_name = (char *)data + data->name;
if (strcmp(name, rec_name) == 0) {
break;
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index fa21bd28..4b087668 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -23,6 +23,7 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <stddef.h>
#include <sys/mman.h>
#include <time.h>
#include "nss_mc.h"
@@ -103,12 +104,17 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
uint32_t hash;
uint32_t slot;
int ret;
+ size_t strs_offset;
+ uint8_t *max_addr;
ret = sss_nss_mc_get_ctx("passwd", &pw_mc_ctx);
if (ret) {
return ret;
}
+ /* Get max address of data table. */
+ max_addr = pw_mc_ctx.data_table + pw_mc_ctx.dt_size;
+
/* hashes are calculated including the NULL terminator */
hash = sss_nss_mc_hash(&pw_mc_ctx, name, name_len + 1);
slot = pw_mc_ctx.hash_table[hash];
@@ -134,7 +140,20 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
continue;
}
+ strs_offset = offsetof(struct sss_mc_pwd_data, strs);
+
data = (struct sss_mc_pwd_data *)rec->data;
+ /* Integrity check
+ * - name_len cannot be longer than all strings
+ * - data->name cannot point outside strings
+ * - all strings must be within data_table */
+ if (name_len > data->strs_len
+ || (data->name + name_len) > (strs_offset + data->strs_len)
+ || (uint8_t *)data->strs + data->strs_len > max_addr) {
+ ret = ENOENT;
+ goto done;
+ }
+
rec_name = (char *)data + data->name;
if (strcmp(name, rec_name) == 0) {
break;