Bug#33197: buffer overflows and missing NULL terminations on compat-style NIS lookups
Package: libc6
Version: 2.0.7.19981211-4
In "nis/nss_compat/", the code in "compat-grp.c" fails to NULL
terminate the result of an NIS lookup, and, in "compat-pwd.c" and
"compat-spwd.c", the code to do the NULL termination puts the
terminator outside the buffer if the lookup result is larger than the
buffer size.
These could, conceivably, have security ramifications. For example,
it might be possible for "sg" or "newgrp" to give a user unauthorized
access to a group under very specific conditions.
The following patch probably fixes the problem, but it'll take a
(long) while for my (slow) machine to recompile the C library so I can
check for sure.
Thanks.
Kevin <buhr@stat.wisc.edu>
* * *
--- nis/nss_compat/compat-grp.c 1999/02/10 22:08:27 1.1
+++ nis/nss_compat/compat-grp.c 1999/02/10 22:15:51
@@ -285,6 +285,7 @@
return NSS_STATUS_NOTFOUND;
p = strncpy (buffer, outval,
buflen < (size_t) outvallen ? buflen : (size_t) outvallen);
+ buffer[buflen <= (size_t) outvallen ? buflen-1 : (size_t) outvallen] = '\0';
free (outval);
while (isspace (*p))
p++;
@@ -572,6 +573,7 @@
return NSS_STATUS_TRYAGAIN;
p = strncpy (buffer, outval,
buflen < (size_t) outvallen ? buflen : (size_t) outvallen);
+ buffer[buflen <= (size_t) outvallen ? buflen-1 : (size_t) outvallen] = '\0';
free (outval);
while (isspace (*p))
p++;
--- nis/nss_compat/compat-pwd.c 1999/02/10 22:08:27 1.1
+++ nis/nss_compat/compat-pwd.c 1999/02/10 22:13:06
@@ -523,7 +523,7 @@
return NSS_STATUS_NOTFOUND;
ptr = strncpy (buffer, outval, buflen < (size_t) outvallen ?
buflen : (size_t) outvallen);
- buffer[buflen < (size_t) outvallen ? buflen : (size_t) outvallen] = '\0';
+ buffer[buflen <= (size_t) outvallen ? buflen-1 : (size_t) outvallen] = '\0';
free (outval);
while (isspace (*ptr))
ptr++;
@@ -935,7 +935,7 @@
return NSS_STATUS_TRYAGAIN;
ptr = strncpy (buffer, outval, buflen < (size_t) outvallen ?
buflen : (size_t) outvallen);
- buffer[buflen < (size_t) outvallen ? buflen : (size_t) outvallen] = '\0';
+ buffer[buflen < (size_t) outvallen ? buflen-1 : (size_t) outvallen] = '\0';
free (outval);
while (isspace (*ptr))
ptr++;
--- nis/nss_compat/compat-spwd.c 1999/02/10 22:08:27 1.1
+++ nis/nss_compat/compat-spwd.c 1999/02/10 22:35:14
@@ -475,7 +475,7 @@
return NSS_STATUS_NOTFOUND;
ptr = strncpy (buffer, outval, buflen < (size_t) outvallen ?
buflen : (size_t) outvallen);
- buffer[buflen < (size_t) outvallen ? buflen : (size_t) outvallen] = '\0';
+ buffer[buflen <= (size_t) outvallen ? buflen-1 : (size_t) outvallen] = '\0';
free (outval);
while (isspace (*ptr))
ptr++;
Reply to: