Date: Wed, 26 Aug 2020 17:01:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 248932] integer underflow in grp_unmarshal_func triggered by nscd Message-ID: <bug-248932-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248932 Bug ID: 248932 Summary: integer underflow in grp_unmarshal_func triggered by nscd Product: Base System Version: 11.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: asomers@FreeBSD.org Created attachment 217545 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D217545&action= =3Dedit Fix integer underflow in getgrent.c When calling getgrnam_r for nonexistent group "root", nscd will for some re= ason return a 1-byte buffer. This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE. That, in turn, may lead applications to repeat the call with ever-larger buffers. I haven't tried to debug nscd yet, but I think the correct thing to do in t= his case is for grp_unmarshall_func to return NS_UNAVAIL. That's what the atta= ched patch does. Steps to Reproduce: * Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1= 873 pkg would ignore ERANGE errors) * enable nscd. I'm using it with LDAP, and in my nsswitch.conf I have "gro= up: files cache ldap", but I don't think the order matters. * Try to install a package that sets the group ownership of one or more fil= es to "root" (which does not exist). It will print errors like: pkg: getgrnam_r: Result too large --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248932-227>