From owner-freebsd-bugs@freebsd.org Thu Aug 17 21:41:18 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CF68DD92D7 for ; Thu, 17 Aug 2017 21:41:18 +0000 (UTC) (envelope-from swall@redcom.com) Received: from smtp1.redcom.com (smtp1.redcom.com [192.86.3.143]) by mx1.freebsd.org (Postfix) with ESMTP id 2B77265F81 for ; Thu, 17 Aug 2017 21:41:17 +0000 (UTC) (envelope-from swall@redcom.com) Received: from localhost (localhost [127.0.0.1]) by smtp1.redcom.com (Postfix) with ESMTP id 1F0E9A02A for ; Thu, 17 Aug 2017 17:33:32 -0400 (EDT) X-Virus-Scanned: amavisd-new at redcom.com Received: from smtp1.redcom.com ([127.0.0.1]) by localhost (smtp1.redcom.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnWFFNuoFiYe for ; Thu, 17 Aug 2017 17:33:29 -0400 (EDT) Received: from pie.redcom.com (pie [192.168.33.15]) by smtp1.redcom.com (Postfix) with ESMTP id A52849F78 for ; Thu, 17 Aug 2017 17:33:29 -0400 (EDT) Received: from exch-02.redcom.com (exch-02.redcom.com [192.168.32.9]) by pie.redcom.com (8.11.7p1+Sun/8.10.2) with ESMTP id v7HLXJl18164 for ; Thu, 17 Aug 2017 17:33:29 -0400 (EDT) Received: from exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) by exch-02.redcom.com (fd00::ccaa:c259:22f8:6f4b) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 17 Aug 2017 17:33:19 -0400 Received: from exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b]) by exch-02.redcom.com ([fe80::ccaa:c259:22f8:6f4b%12]) with mapi id 15.00.1178.000; Thu, 17 Aug 2017 17:33:19 -0400 From: "Wall, Stephen" To: "freebsd-bugs@freebsd.org" Subject: Possible bug with account/password expiration Thread-Topic: Possible bug with account/password expiration Thread-Index: AdMXn3dveX4g/fYQRVKwv0KAdedWgA== Date: Thu, 17 Aug 2017 21:33:18 +0000 Message-ID: <5320af8198d943f69b688d78203d8e31@exch-02.redcom.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.168.84.20] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 21:41:18 -0000 While trying to determine the cause of a problem a customer had with being = unable to reset their root password, I came across this piece of code in us= r.sbin/pwd_mkdb/pwd_mkdb.c: #define SCALAR(e) store =3D htonl((uint32_t)(e)); \ memmove(p, &store, sizeof(store)); \ p +=3D sizeof(store); #define LSCALAR(e) store =3D HTOL((uint32_t)(e)); \ memmove(p, &store, sizeof(store)); \ p +=3D sizeof(store); #define HTOL(e) (openinfo.lorder =3D=3D BYTE_ORDER ? \ (uint32_t)(e) : \ bswap32((uint32_t)(e))) if (!is_comment &&=20 (!username || (strcmp(username, pwd.pw_name) =3D=3D 0))) { /* Create insecure data. */ p =3D buf; COMPACT(pwd.pw_name); COMPACT("*"); SCALAR(pwd.pw_uid); SCALAR(pwd.pw_gid); SCALAR(pwd.pw_change); COMPACT(pwd.pw_class); COMPACT(pwd.pw_gecos); COMPACT(pwd.pw_dir); COMPACT(pwd.pw_shell); SCALAR(pwd.pw_expire); SCALAR(pwd.pw_fields); data.size =3D p - buf; Note the cast to uint32_t in the SCALAR macro, then the use of that macro f= urther down with pwd.pw_change and pwd.pw_expire. These fields are declare= d as time_t, which is a 64-bit value on x86. It seems to me this will incor= rectly truncate the values when passing them to htonl(). Am I missing something here? On a side note, use of these fields is pretty inconsistent throughout the c= ode. They are passed around variously as time_t, intmax_t, and long. Whil= e these do happen to all be the same size on x86 (I did not investigate oth= er platforms), it's not good practice and could lead to problems if these t= ypes diverge. Thanks -spw