1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
From 42ad8c2c4805b825317b8944df1c3cf1c2c3c2cc Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Tue, 9 Jun 2020 11:52:50 +1000
Subject: [PATCH] util: Simplify input validation
It appears that snprintf(3) is being used for input validation.
However, this seems like overkill because it causes szPath to be
copied an extra time. The mostly likely protections being sought
here, according to https://cwe.mitre.org/data/definitions/20.html,
look to be DoS attacks involving CPU and memory usage. A simpler
check that uses strnlen(3) can mitigate against both of these and is
simpler.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229)
---
lib/util/util_paths.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index c0ee5c32c30..dec91772d9e 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
struct passwd pwd = {0};
struct passwd *pwdbuf = NULL;
char buf[NSS_BUFLEN_PASSWD] = {0};
+ size_t len;
int rc;
rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
if (rc != 0 || pwdbuf == NULL ) {
- int len_written;
const char *szPath = getenv("HOME");
if (szPath == NULL) {
return NULL;
}
- len_written = snprintf(buf, sizeof(buf), "%s", szPath);
- if (len_written >= sizeof(buf) || len_written < 0) {
- /* Output was truncated or an error. */
+ len = strnlen(szPath, PATH_MAX);
+ if (len >= PATH_MAX) {
return NULL;
}
- return talloc_strdup(mem_ctx, buf);
+ return talloc_strdup(mem_ctx, szPath);
}
return talloc_strdup(mem_ctx, pwd.pw_dir);
--
GitLab
From 581b581700c967d38bcbb8d81767a7dfdfe68147 Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Fri, 5 Jun 2020 21:52:23 +1000
Subject: [PATCH] util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWD
NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use
sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX.
Use a dynamically allocated buffer instead of trying to cram all of
the logic into the declarations. This will come in useful later
anyway.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b)
---
lib/util/util_paths.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index dec91772d9e..9bc6df37e5d 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -68,24 +68,41 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
{
struct passwd pwd = {0};
struct passwd *pwdbuf = NULL;
- char buf[NSS_BUFLEN_PASSWD] = {0};
+ char *buf = NULL;
+ char *out = NULL;
+ long int initlen;
size_t len;
int rc;
- rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
+ initlen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (initlen == -1) {
+ len = 1024;
+ } else {
+ len = (size_t)initlen;
+ }
+ buf = talloc_size(mem_ctx, len);
+ if (buf == NULL) {
+ return NULL;
+ }
+
+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
if (rc != 0 || pwdbuf == NULL ) {
const char *szPath = getenv("HOME");
if (szPath == NULL) {
- return NULL;
+ goto done;
}
len = strnlen(szPath, PATH_MAX);
if (len >= PATH_MAX) {
return NULL;
}
- return talloc_strdup(mem_ctx, szPath);
+ out = talloc_strdup(mem_ctx, szPath);
+ goto done;
}
- return talloc_strdup(mem_ctx, pwd.pw_dir);
+ out = talloc_strdup(mem_ctx, pwd.pw_dir);
+done:
+ TALLOC_FREE(buf);
+ return out;
}
char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d)
--
GitLab
From 8cffe254eda6c7ae843d79610eacb9a1020ef01a Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Fri, 5 Jun 2020 22:05:42 +1000
Subject: [PATCH] util: Reallocate larger buffer if getpwuid_r() returns ERANGE
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184
(cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c)
---
lib/util/util_paths.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index 9bc6df37e5d..72cc0aab8de 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -86,6 +86,19 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
}
rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
+ while (rc == ERANGE) {
+ size_t newlen = 2 * len;
+ if (newlen < len) {
+ /* Overflow */
+ goto done;
+ }
+ len = newlen;
+ buf = talloc_realloc_size(mem_ctx, buf, len);
+ if (buf == NULL) {
+ goto done;
+ }
+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
+ }
if (rc != 0 || pwdbuf == NULL ) {
const char *szPath = getenv("HOME");
if (szPath == NULL) {
--
GitLab
|
