Bug#354093: libnss-ldap: getent segfault when reading large uid-/gidNumbers

Thu, 23 Feb 2006 03:03:06 -0800 

Package: libnss-ldap
Version: 238-1.1
Severity: grave
Justification: renders package unusable


There's a buffer overflow in the uid-/gidNumber handling code. It
is limited to the length of uid_t (hard coded), but the ldap schema
allows large integer numbers.

Using long integer numbers causes a several minutes lasting lookup
and results in a segfault. The attached patch fixes the problem.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.4
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libnss-ldap depends on:
ii  debconf                       1.4.70     Debian configuration management sy
ii  libc6                         2.3.6-1    GNU C Library: Shared libraries an
ii  libldap2                      2.1.30-12  OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   180-1      Pluggable Authentication Module al
ii  nscd                          2.3.6-1    GNU C Library: Name Service Cache 

-- debconf-show failed

--- ldap-pwd.c	2005-03-24 01:03:40.000000000 +0100
+++ ldap-pwd.c.new	2006-02-23 11:26:27.000000000 +0100
@@ -86,9 +86,11 @@
   struct passwd *pw = (struct passwd *) result;
   char *uid, *gid;
   NSS_STATUS stat;
-  char tmpbuf[sizeof "-4294967295"];
+  char tmpbuf[ sizeof( uid_t ) * 8 / 3 + 2 ];
   size_t tmplen;
   char *tmp;
+  
+  tmpbuf[ sizeof(tmpbuf) - 1 ] = '\0';
 
   if (_nss_ldap_oc_check (e, "shadowAccount") == NSS_SUCCESS)
     {
@@ -117,21 +119,23 @@
     return stat;
 
   tmp = tmpbuf;
-  tmplen = sizeof (tmpbuf);
+  tmplen = sizeof (tmpbuf) - 1;
   stat =
     _nss_ldap_assign_attrval (e, AT (uidNumber), &uid, &tmp, &tmplen);
   if (stat != NSS_SUCCESS)
-    return stat;
-  pw->pw_uid = (*uid == '\0') ? UID_NOBODY : (uid_t) atol (uid);
+    pw->pw_uid = -1;
+  else
+    pw->pw_uid = (*uid == '\0') ? UID_NOBODY : (uid_t) atol (uid);
 
   tmp = tmpbuf;
-  tmplen = sizeof (tmpbuf);
+  tmplen = sizeof (tmpbuf) - 1;
   stat =
     _nss_ldap_assign_attrval (e, ATM (passwd, gidNumber), &gid, &tmp,
                               &tmplen);
   if (stat != NSS_SUCCESS)
-    return stat;
-  pw->pw_gid = (*gid == '\0') ? GID_NOBODY : (gid_t) atol (gid);
+    pw->pw_gid = -1;
+  else
+    pw->pw_gid = (*gid == '\0') ? GID_NOBODY : (gid_t) atol (gid);
 
   stat =
     _nss_ldap_assign_attrval (e, AT (gecos), &pw->pw_gecos, &buffer,

Reply via email to