Date: Wed, 26 Aug 2020 17:01:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 248932] integer underflow in grp_unmarshal_func triggered by nscd Message-ID: <bug-248932-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248932 Bug ID: 248932 Summary: integer underflow in grp_unmarshal_func triggered by nscd Product: Base System Version: 11.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: asomers@FreeBSD.org Created attachment 217545 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=217545&action=edit Fix integer underflow in getgrent.c When calling getgrnam_r for nonexistent group "root", nscd will for some reason return a 1-byte buffer. This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE. That, in turn, may lead applications to repeat the call with ever-larger buffers. I haven't tried to debug nscd yet, but I think the correct thing to do in this case is for grp_unmarshall_func to return NS_UNAVAIL. That's what the attached patch does. Steps to Reproduce: * Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873 pkg would ignore ERANGE errors) * enable nscd. I'm using it with LDAP, and in my nsswitch.conf I have "group: files cache ldap", but I don't think the order matters. * Try to install a package that sets the group ownership of one or more files to "root" (which does not exist). It will print errors like: pkg: getgrnam_r: Result too large -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248932-227>