[SSSD] [PATCH] Two sssd_nss patches

Mon, 14 May 2012 07:05:37 -0700 

I found two sssd_nss bugs pretty much by accident.

[PATCH 1/2] NSS: keep a pointer to body after body is reallocated
When a memory is reallocated with talloc_realloc, the original pointer
might be relocated elsewhere. The "fullname" pointer used to point to
the original location before realloc which led to use-after-free issues.

[PATCH 2/2] Use sized_string correctly in FQDN domains
We were using the structure itself instead of the string pointer, which
led to crashes when the domain was fully qualified.

>From 1a4fbb0f39314c29d307c994637df8cd704cb881 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 14 May 2012 15:53:18 +0200
Subject: [PATCH 1/2] NSS: keep a pointer to body after body is reallocated

---
 src/responder/nss/nsssrv_cmd.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 
f36a9a322ab92144c93b8cb9041d7a28515cc85d..43e82ae3ad1d98d440c076513ffb78ed46feb949
 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1919,6 +1919,9 @@ static int fill_grent(struct sss_packet *packet,
         num++;
 
         if (gr_mmap_cache) {
+            /* body was reallocated, so fullname might be pointing to
+             * where body used to be, not where it is */
+            to_sized_string(&fullname, (const char 
*)&body[rzero+STRS_ROFFSET]);
             ret = sss_mmap_cache_gr_store(nctx->grp_mc_ctx,
                                           &fullname, &pwfield, gid, memnum,
                                           (char *)&body[rzero] + STRS_ROFFSET +
-- 
1.7.10.1


>From 5c76308e02c2b073382c2608d80c12dc3ff97937 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 14 May 2012 15:58:37 +0200
Subject: [PATCH 2/2] Use sized_string correctly in FQDN domains

---
 src/responder/nss/nsssrv_cmd.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 
43e82ae3ad1d98d440c076513ffb78ed46feb949..aa3ef3cbc0b98d3fe44e14dce212ecf1279f14f3
 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1863,7 +1863,7 @@ static int fill_grent(struct sss_packet *packet,
                 if (add_domain) {
                     ret = snprintf((char *)&body[rzero + rsize],
                                     name.len + delim + dom_len,
-                                    namefmt, name, domain);
+                                    namefmt, name.str, domain);
                     if (ret >= (name.len + delim + dom_len)) {
                         /* need more space,
                          * got creative with the print format ? */
@@ -1879,7 +1879,7 @@ static int fill_grent(struct sss_packet *packet,
                         /* retry */
                         ret = snprintf((char *)&body[rzero + rsize],
                                         name.len + delim + dom_len,
-                                        namefmt, name, domain);
+                                        namefmt, name.str, domain);
                     }
 
                     if (ret != name.len + delim + dom_len - 1) {
-- 
1.7.10.1


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to