fix integer underflow in getgrnam_r and getpwnam_r

Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to return ERANGE instead of 0. Fix the user's buffer size check, and add a correct check for a too-small nscd buffer. PR: 248932 Event: September 2020 Bugathon Reviewed by: markj MFC after: 2 weeks Sponsored by: Axcient Differential Revision: https://reviews.freebsd.org/D26204
2020-09-19 19:08:27 +00:00 · 2020-09-19 19:08:27 +00:00 · 9ad1d357e0
commit 9ad1d357e0
parent c6989859ae
2 changed files with 24 additions and 4 deletions
--- a/lib/libc/gen/getgrent.c
+++ b/lib/libc/gen/getgrent.c
@ -334,15 +334,28 @@ grp_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
 	orig_buf_size = va_arg(ap, size_t);
 	ret_errno = va_arg(ap, int *);

-	if (orig_buf_size <
-	    buffer_size - sizeof(struct group) - sizeof(char *)) {
+	if (orig_buf_size + sizeof(struct group) + sizeof(char *) < buffer_size)
+	{
 		*ret_errno = ERANGE;
 		return (NS_RETURN);
+	} else if (buffer_size < sizeof(struct group) + sizeof(char *)) {
+		/*
+		 * nscd(8) sometimes returns buffer_size=1 for nonexistent
+		 * entries.
+		 */
+		*ret_errno = 0;
+		return (NS_NOTFOUND);
 	}

 	memcpy(grp, buffer, sizeof(struct group));
 	memcpy(&p, buffer + sizeof(struct group), sizeof(char *));

+	if (orig_buf_size + sizeof(struct group) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p < buffer_size) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
 	orig_buf = (char *)_ALIGN(orig_buf);
 	memcpy(orig_buf, buffer + sizeof(struct group) + sizeof(char *) +
 	    _ALIGN(p) - (size_t)p,
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@ -389,10 +389,17 @@ pwd_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
 	orig_buf_size = va_arg(ap, size_t);
 	ret_errno = va_arg(ap, int *);

-	if (orig_buf_size <
-	    buffer_size - sizeof(struct passwd) - sizeof(char *)) {
+	if (orig_buf_size + sizeof(struct passwd) + sizeof(char *) <
+	    buffer_size) {
 		*ret_errno = ERANGE;
 		return (NS_RETURN);
+	} else if (buffer_size < sizeof(struct passwd) + sizeof(char *)) {
+		/*
+		 * nscd(8) sometimes returns buffer_size=1 for nonexistent
+		 * entries.
+		 */
+		*ret_errno = 0;
+		return (NS_NOTFOUND);
 	}

 	memcpy(pwd, buffer, sizeof(struct passwd));