[SSSD] [PATCH] mmap_cache: Check data->name value in client code

Mon, 12 Aug 2013 10:57:22 -0700 

This should have been part of the patch:
[PATCH] mmap_cache: Check if slot and name_ptr are not invalid.

I missed the fact that name_ptr is called just name in the
client code and did not add check there.

Using manually corrupted cache (setting name_ptr to some high value
in hexeditor) this caused segfault in the client code. The attached
patch fixes this.

Please review and push this patch to master, 1-9 and 1-10.

Thanks
Michal

>From 6dcecdf083132f08ee4297175cce8de6636dc14b Mon Sep 17 00:00:00 2001
From: Michal Zidek <[email protected]>
Date: Mon, 12 Aug 2013 19:29:56 +0200
Subject: [PATCH] mmap_cache: Check data->name value in client code

data->name value must be checked to prevent segfaults in
case of corrupted memory cache.

resolves:
https://fedorahosted.org/sssd/ticket/2018
---
 src/sss_client/nss_mc_group.c  | 5 +++++
 src/sss_client/nss_mc_passwd.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 2d69be9..60f8981 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -23,6 +23,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <stddef.h>
 #include <sys/mman.h>
 #include <time.h>
 #include "nss_mc.h"
@@ -134,6 +135,10 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
         }
 
         data = (struct sss_mc_grp_data *)rec->data;
+        if (data->name != offsetof(struct sss_mc_grp_data, strs)) {
+            return ENOENT;
+        }
+
         rec_name = (char *)data + data->name;
         if (strcmp(name, rec_name) == 0) {
             break;
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index fa21bd2..7e47849 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -23,6 +23,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <stddef.h>
 #include <sys/mman.h>
 #include <time.h>
 #include "nss_mc.h"
@@ -135,6 +136,10 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
         }
 
         data = (struct sss_mc_pwd_data *)rec->data;
+        if (data->name != offsetof(struct sss_mc_pwd_data, strs)) {
+            return ENOENT;
+        }
+
         rec_name = (char *)data + data->name;
         if (strcmp(name, rec_name) == 0) {
             break;
-- 
1.7.11.2


_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to