Fix possible buffer overflow: buflen (a size_t*) was being used

[hcoop/debian/libnss-afs.git] / nss_afs.c

diff --git a/nss_afs.c b/nss_afs.c
index 2de5dac..126b5c5 100644 (file)
--- a/nss_afs.c
+++ b/nss_afs.c
@@ -56,7 +56,6 @@
 #include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <afs/afs.h>
 #include <afs/afsutil.h>
 #include <afs/cellconfig.h>
 #include <afs/com_err.h>
@@ -116,7 +115,7 @@ enum nss_status ptsid2name(int uid, char **buffer, int *buflen) {
   idlist lid;
   namelist lnames;
 
-  init_afs();
+  if (init_afs()) return NSS_STATUS_UNAVAIL;
 
   if (uid==AFS_MAGIC_ANONYMOUS_USERID) {
     if (!cpstr("anonymous", buffer, buflen)) return NSS_STATUS_UNAVAIL;
@@ -131,7 +130,7 @@ enum nss_status ptsid2name(int uid, char **buffer, int *buflen) {
   lnames.namelist_len = 0;
 
   if (ubik_Call(PR_IDToName,pruclient,0,&lid,&lnames) != PRSUCCESS) {
-    perror("ubik_Call() in ptsid2name() failed");
+    perror("ubik_Call() in ptsid2name() failed\n");
     pthread_mutex_unlock(&mutex);
     return NSS_STATUS_UNAVAIL;
   }
@@ -139,7 +138,7 @@ enum nss_status ptsid2name(int uid, char **buffer, int *buflen) {
   ret = NSS_STATUS_NOTFOUND;
   for (i=0;i<lnames.namelist_len;i++) {
     int delta = strlen(lnames.namelist_val[i]);
-    if ( (delta < buflen) && islower(*(lnames.namelist_val[i])) ) {
+    if ( (delta < *buflen) && islower(*(lnames.namelist_val[i])) ) {
       cpstr(lnames.namelist_val[i], buffer, buflen);
       ret = NSS_STATUS_SUCCESS;
     }
@@ -162,7 +161,7 @@ enum nss_status ptsname2id(char *name, uid_t* uid) {
   namelist lnames;
   char uname[MAXUSERNAMELEN];
 
-  init_afs();
+  if (init_afs()) return NSS_STATUS_UNAVAIL;
   
   if (!strcmp(name,"anonymous")) {
     *uid = AFS_MAGIC_ANONYMOUS_USERID;
@@ -173,13 +172,13 @@ enum nss_status ptsname2id(char *name, uid_t* uid) {
 
   lid.idlist_val = 0;
   lid.idlist_len = 0;
-  lnames.namelist_val = (prname*)(&uname);
+  lnames.namelist_val = (prname*)uname;
   // apparently ubik expects to be able to modify this?
   strncpy(uname, name, MAXUSERNAMELEN);
   lnames.namelist_len = 1;
 
   if (ubik_Call(PR_NameToID,pruclient,0,&lnames,&lid) != PRSUCCESS) {
-    perror("ubik_Call() in ptsname2id() failed");
+    perror("ubik_Call() in ptsname2id() failed\n");
     pthread_mutex_unlock(&mutex);
     return NSS_STATUS_UNAVAIL;
   }
@@ -199,11 +198,35 @@ int init_afs() {
   int len;
   struct stat statbuf;
 
+  char buf[6];
+  int fd;
+  int pos;
+
   if (afs_initialized) {
     /* wait until /afs/@cell/ appears as a proxy for "the network is up" */
     if (stat(cell_root, &statbuf)) return -1;
     return 0;
   }
+
+  // check to make sure that we are running inside nscd
+  pos = 0;
+  fd = open("/proc/self/cmdline", O_RDONLY);
+  if (fd==-1) return -1;
+  while(1) {
+    int numread;
+    numread = read(fd, buf+pos, 1);
+    if (buf[ (pos+5)%6 ] == 'd' &&
+        buf[ (pos+4)%6 ] == 'c' &&
+        buf[ (pos+3)%6 ] == 's' &&
+        buf[ (pos+2)%6 ] == 'n' &&
+        (buf[(pos+1)%6 ] == '/' || pos==4) &&
+        (buf[(pos+0)%6 ] ==  0  || numread==-1)
+        )
+      break;
+    pos = (pos+1)%6;
+    if (numread==0) { close(fd); return -1; }
+  }
+  close(fd);
   
   if (pthread_mutex_lock(&mutex)) return -1;
   do {
@@ -212,7 +235,7 @@ int init_afs() {
 
     len = snprintf(cellname, MAXCELLNAMELEN,
                    "%s/ThisCell", AFSDIR_CLIENT_ETC_DIRPATH);
-    if (len < 0 || len >= MAXCELLNAMELEN) break;
+    if (len < 0 || len >= MAXCELLNAMELEN) return -1;
 
     thiscell=fopen(cellname,"r");
     if (thiscell == NULL) break;
@@ -240,7 +263,7 @@ int init_afs() {
     rx_SetRxDeadTime(5);    
 
     if (pr_Initialize(0L,AFSDIR_CLIENT_ETC_DIRPATH, 0)) {
-      perror("pr_Initialize() failed");
+      perror("pr_Initialize() failed\n");
       break;
     }
     
@@ -364,7 +387,7 @@ enum nss_status _nss_afs_getgrgid_r (gid_t gid,
 
     result->gr_passwd=buffer;
 
-    if (!cpstr("x",&buffer,&buflen)) break;
+    if (!cpstr("z",&buffer,&buflen)) break;
 
     if (buflen < sizeof(char*)) break;
     result->gr_mem=buffer;
@@ -390,9 +413,9 @@ enum nss_status fill_result_buf(uid_t uid,
                                 int *errnop) {
   result_buf->pw_name = name;
   do {
-    /* set the password to "x" */
+    /* set the password to "z"; we can't use "x" because of pam_unix.so */
     result_buf->pw_passwd = buffer;
-    if ( ! cpstr("x",&buffer, &buflen) ) break;
+    if ( ! cpstr("z",&buffer, &buflen) ) break;
 
     /* the uid and gid are both the uid passed in */
     result_buf->pw_uid = uid;