From owner-freebsd-bugs  Tue Sep  5 17:41:26 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.11/8.6.6) id RAA13067
          for bugs-outgoing; Tue, 5 Sep 1995 17:41:26 -0700
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id RAA13061
          for <bugs@freebsd.org>; Tue, 5 Sep 1995 17:41:25 -0700
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14578(19)>; Tue, 5 Sep 1995 17:40:49 PDT
Received: by crevenia.parc.xerox.com id <177475>; Tue, 5 Sep 1995 17:40:45 -0700
From: Bill Fenner <fenner@parc.xerox.com>
To: bugs@freebsd.org
Subject: NIS passwd file doesn't work on 2.1.0-950726-SNAP?
Message-Id: <95Sep5.174045pdt.177475@crevenia.parc.xerox.com>
Date: Tue, 5 Sep 1995 17:40:38 PDT
Sender: bugs-owner@freebsd.org
Precedence: bulk

The root disk on the FreeBSD machine on my disk toasted itself, so I decided
to install 2.1.0-950726-SNAP.  I couldn't get it to use our YP passwd file;
"login" refuses my login and "finger" dumps core.

The core dump is in _netyppass, in getpwent.c:742 -- free(result).
At this point, result == 0x72, and resultlen == 1702065519.

It turns out that our NIS map has a user that looks like

parcprotouser:*:100:0::/:/no_shell

and trying to sprintf() parcprotouser into user[UT_NAMESIZE] fails miserably.

I fixed it by

a) making user[] big enough to sprintf() into (tsk, tsk!)
b) truncating the username to UT_NAMESIZE bytes.

Note that this code also had a potential core dump if it got an answer from
the YP server that didn't have a colon in it.  I didn't really know how
to handle that case; I truncated the username to 0 bytes, which isn't the
right thing to do, but I don't know what is.

  Bill


--- /usr/src/lib/libc/gen/getpwent.c.orig	Tue Sep  5 17:04:47 1995
+++ getpwent.c	Tue Sep  5 17:32:14 1995
@@ -585,14 +585,15 @@
 static int
 _getyppass(struct passwd *pw, const char *name, const char *map)
 {
-	char *result, *s;
+	char *result, *s, *q;
 	static char resultbuf[1024];
 	int resultlen;
 	char mastermap[1024];
 	int gotmaster = 0;
 	struct _pw_cache *m, *p;
 	struct _namelist *n;
-	char user[UT_NAMESIZE];
+	char user[UT_NAMESIZE + 1];
+	int ul;
 
 	if(!_pw_yp_domain) {
 		if(yp_get_default_domain(&_pw_yp_domain))
@@ -617,7 +618,13 @@
 
 	if(resultlen >= sizeof resultbuf) return 0;
 	strcpy(resultbuf, result);
-	sprintf (user, "%.*s", (strchr(result, ':') - result), result);
+	q = strchr(result, ':');
+	if (q) {
+		ul = q - result > UT_NAMESIZE ? UT_NAMESIZE : q - result;
+	} else {
+		ul = 0; /*XXX no colon -- do what? */
+	}
+	sprintf (user, "%.*s", ul, result);
 	_pw_passwd.pw_fields = -1; /* Impossible value */
 	if (_minuscnt && _minushead) {
 		m = _minushead;
@@ -669,7 +676,9 @@
 	int gotmaster = 0;
 	struct _pw_cache *m, *p;
 	struct _namelist *n;
-	char user[UT_NAMESIZE];
+	char user[UT_NAMESIZE+1];
+	int ul;
+	char *q;
 
 	if(!_pw_yp_domain) {
 		if(yp_get_default_domain(&_pw_yp_domain))
@@ -710,7 +719,13 @@
 		}
 
 		strcpy(resultbuf, result);
-		sprintf(user, "%.*s", (strchr(result, ':') - result), result);
+		q = strchr(result, ':');
+		if (q) {
+			ul = q - result > UT_NAMESIZE ? UT_NAMESIZE : q - result;
+		} else {
+			ul = 0; /*XXX no colon -- do what? */
+		}
+		sprintf (user, "%.*s", ul, result);
 		_pw_passwd.pw_fields = -1; /* Impossible value */
 		if (_minuscnt && _minushead) {
 			m = _minushead;