Fix unbound stack use in NIS NSS module

(cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

Conflicts:
	NEWS

diff --git a/ChangeLog b/ChangeLog
index cbabc37eb53e45eeb307557ce1451401c3fd80ee..09056dadedf677ec7270992ddc4a083da3761880 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-05-12  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #16932]
+       * nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
+       (_nss_nis_gethostbyname4_r): Return error if item length is larger
+       than maximum RPC packet size.
+       * nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
+       * nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
+       * nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
+       (_nss_nis_getservbyport_r): Likewise.
+
 2014-06-21  Allan McRae  <allan@archlinux.org>
 
        * NEWS: Mention CVE-2014-4043.

diff --git a/NEWS b/NEWS
index 4a51ac6b9a76f841c5c4a0ec61421fec05d86252..d10a3aa4424f63757634f83d4c009c17f119861f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.19.1
 
 * The following bugs are resolved with this release:
 
-  16545, 16623, 16882, 16885, 16916, 16943, 16958, 17048.
+  16545, 16623, 16882, 16885, 16916, 16932, 16943, 16958, 17048.
 
 * CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
   copy the path argument.  This allowed programs to cause posix_spawn to

diff --git a/nis/nss_nis/nis-hosts.c b/nis/nss_nis/nis-hosts.c
index f73a0eccb261ebf6b77eeb243ca6c6b7b02093ad..3006a997ab48518873e08a163bcae083fdd698a5 100644 (file)
--- a/nis/nss_nis/nis-hosts.c
+++ b/nis/nss_nis/nis-hosts.c
@@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *name, int af, struct hostent *host,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 
@@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 

diff --git a/nis/nss_nis/nis-initgroups.c b/nis/nss_nis/nis-initgroups.c
index 30bc90f691e20f21dd70e72f65eade815eeb56ac..dd8c7652005c1293f0086b32f3a24d9551bc5447 100644 (file)
--- a/nis/nss_nis/nis-initgroups.c
+++ b/nis/nss_nis/nis-initgroups.c
@@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group, long int *start, long int *size,
                  gid_t **groupsp, long int limit, int *errnop,
                  const char *domainname)
 {
+  /* Limit domainname length to the maximum size of an RPC packet.  */
+  if (strlen (domainname) > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   /* Prepare the key.  The form is "unix.UID@DOMAIN" with the UID and
      DOMAIN field filled in appropriately.  */
   char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];

diff --git a/nis/nss_nis/nis-network.c b/nis/nss_nis/nis-network.c
index da28860003468086d3d789d6880ffb72f27f88f1..6a823024f903349bc7112453c14e8819452e2eb1 100644 (file)
--- a/nis/nss_nis/nis-network.c
+++ b/nis/nss_nis/nis-network.c
@@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *name, struct netent *net, char *buffer,
 
   /* Convert name to lowercase.  */
   size_t namlen = strlen (name);
+  /* Limit name length to the maximum size of an RPC packet.  */
+  if (namlen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char name2[namlen + 1];
   size_t i;
 

diff --git a/nis/nss_nis/nis-service.c b/nis/nss_nis/nis-service.c
index fd79d3fe0794c6f09d3119cf1010069d5aa4c764..4991ed3342eee6f0bd905cc59f5b8bc07fa67172 100644 (file)
--- a/nis/nss_nis/nis-service.c
+++ b/nis/nss_nis/nis-service.c
@@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *name, const char *protocol,
   /* If the protocol is given, we could try if our NIS server knows
      about services.byservicename map. If yes, we only need one query.  */
   size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
+  /* Limit key length to the maximum size of an RPC packet.  */
+  if (keylen > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   char key[keylen + 1];
 
   /* key is: "name/proto" */
@@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, const char *protocol,
      Otherwise try first port/tcp, then port/udp and then fallback
      to sequential scanning of services.byname.  */
   const char *proto = protocol != NULL ? protocol : "tcp";
+  /* Limit protocol name length to the maximum size of an RPC packet.  */
+  if (strlen (proto) > UDPMSGSIZE)
+    {
+      *errnop = ERANGE;
+      return NSS_STATUS_UNAVAIL;
+    }
+
   do
     {
       /* key is: "port/proto" */