[Bug 248932] integer underflow in grp_unmarshal_func triggered by nscd
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Aug 26 17:01:51 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248932
Bug ID: 248932
Summary: integer underflow in grp_unmarshal_func triggered by
nscd
Product: Base System
Version: 11.4-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: asomers at FreeBSD.org
Created attachment 217545
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=217545&action=edit
Fix integer underflow in getgrent.c
When calling getgrnam_r for nonexistent group "root", nscd will for some reason
return a 1-byte buffer. This triggers an underflow from an unsigned integer
comparison, causing grp_unmarshal_func to return ERANGE. That, in turn, may
lead applications to repeat the call with ever-larger buffers.
I haven't tried to debug nscd yet, but I think the correct thing to do in this
case is for grp_unmarshall_func to return NS_UNAVAIL. That's what the attached
patch does.
Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873
pkg would ignore ERANGE errors)
* enable nscd. I'm using it with LDAP, and in my nsswitch.conf I have "group:
files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files
to "root" (which does not exist).
It will print errors like:
pkg: getgrnam_r: Result too large
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list