Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
(with errno as ERANGE) when the supplied buffer does not have
sufficient space for the result.  This is wrong, because the canonical
way to indicate insufficient buffer is to set the errno to ERANGE and
the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

This fixes nscd behaviour when the nss_ldap module returns
NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
fit into the supplied buffer.

(cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

Conflicts:
	NEWS

diff --git a/ChangeLog b/ChangeLog
index d84e14dd851c13bee3957d178b554ab9cf2cc8a4..0255114fba29f338848bc14cc1db6b0692cdf376 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2014-05-26  Siddhesh Poyarekar  <siddhesh@redhat.com>
+
+       [BZ #16878]
+       * nscd/netgroupcache.c (addgetnetgrentX): Look for
+       NSS_STATUS_TRYAGAIN to indicate insufficient buffer space.
+       * nscd/nss_files/files-netgrp.c (_nss_netgroup_parseline): Use
+       NSS_STATUS_TRYAGAIN to indicate insufficient buffer space.
+
 2014-03-12  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
        [BZ #16695]

diff --git a/NEWS b/NEWS
index 58fe721c752486ed738aa5c40d23cdb4f2e55058..e84bae538ff8dd7041288455b3fa428dba4e67df 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,8 @@ Version 2.19.1
 
 * The following bugs are resolved with this release:
 
-  15946, 16545, 16574, 16623, 16695, 16882, 16885, 16916, 16932, 16943,
-  16958, 17048, 17069.
+  15946, 16545, 16574, 16623, 16695, 16878, 16882, 16885, 16916, 16932,
+  16943, 16958, 17048, 17069.
 
 * CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
   copy the path argument.  This allowed programs to cause posix_spawn to

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index fe7fc750e20a8409f037c4863e903c00f0f0c588..084f74df2f8a059a1bdfb8513a6f9caced31941b 100644 (file)
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -203,11 +203,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
                    int e;
                    status = getfct.f (&data, buffer + buffilled,
                                       buflen - buffilled - req->key_len, &e);
-                   if (status == NSS_STATUS_RETURN
-                       || status == NSS_STATUS_NOTFOUND)
-                     /* This was either the last one for this group or the
-                        group was empty.  Look at next group if available.  */
-                     break;
                    if (status == NSS_STATUS_SUCCESS)
                      {
                        if (data.type == triple_val)
@@ -322,11 +317,18 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
                              }
                          }
                      }
-                   else if (status == NSS_STATUS_UNAVAIL && e == ERANGE)
+                   else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
                      {
                        buflen *= 2;
                        buffer = xrealloc (buffer, buflen);
                      }
+                   else if (status == NSS_STATUS_RETURN
+                            || status == NSS_STATUS_NOTFOUND
+                            || status == NSS_STATUS_UNAVAIL)
+                     /* This was either the last one for this group or the
+                        group was empty or the NSS module had an internal
+                        failure.  Look at next group if available.  */
+                     break;
                  }
 
              enum nss_status (*endfct) (struct __netgrent *);

diff --git a/nss/nss_files/files-netgrp.c b/nss/nss_files/files-netgrp.c
index 34eae4c5becd8e95cc373213b5e60128a1b09f94..bc0b367da87583ceaa3b7368e2c064cff314055d 100644 (file)
--- a/nss/nss_files/files-netgrp.c
+++ b/nss/nss_files/files-netgrp.c
@@ -252,7 +252,7 @@ _nss_netgroup_parseline (char **cursor, struct __netgrent *result,
   if (cp - host > buflen)
     {
       *errnop = ERANGE;
-      status = NSS_STATUS_UNAVAIL;
+      status = NSS_STATUS_TRYAGAIN;
     }
   else
     {