[Bug 248932] integer underflow in grp_unmarshal_func triggered by nscd

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248932

            Bug ID: 248932
           Summary: integer underflow in grp_unmarshal_func triggered by
                    nscd
           Product: Base System
           Version: 11.4-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: asomers at FreeBSD.org

Created attachment 217545
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=217545&action=edit
Fix integer underflow in getgrent.c

When calling getgrnam_r for nonexistent group "root", nscd will for some reason
return a 1-byte buffer.  This triggers an underflow from an unsigned integer
comparison, causing grp_unmarshal_func to return ERANGE.  That, in turn, may
lead applications to repeat the call with ever-larger buffers.

I haven't tried to debug nscd yet, but I think the correct thing to do in this
case is for grp_unmarshall_func to return NS_UNAVAIL.  That's what the attached
patch does.

Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873
pkg would ignore ERANGE errors)
* enable nscd.  I'm using it with LDAP, and in my nsswitch.conf I have "group:
files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files
to "root" (which does not exist).

It will print errors like:
pkg: getgrnam_r: Result too large

-- 
You are receiving this mail because:
You are the assignee for the bug.