Mercurial > illumos > illumos-gate
changeset 2059:e3b1d9cb2e0d
6424028 rpc.nisd & libnsl security issues from unbounded input string copies
| author | rupertk |
|---|---|
| date | Thu, 25 May 2006 07:29:59 -0700 |
| parents | 40d3788a5679 |
| children | d28fa6b07b04 |
| files | usr/src/cmd/rpcsvc/nis/rpc.nisd/nis_subr_proc.c usr/src/lib/libnsl/nis/gen/nis_misc_proc.c |
| diffstat | 2 files changed, 33 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/rpcsvc/nis/rpc.nisd/nis_subr_proc.c Thu May 25 02:58:46 2006 -0700 +++ b/usr/src/cmd/rpcsvc/nis/rpc.nisd/nis_subr_proc.c Thu May 25 07:29:59 2006 -0700 @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -961,6 +960,13 @@ { struct creditem *foo, *old; + if (strlen(pname) >= sizeof (foo->pname)) { + syslog(LOG_ERR, + "add_cred_item: principal name too long '%s'", + pname); + return; + } + old = (struct creditem *)nis_find_item(netname, &credtbl); if (old) { __nis_release_item((NIS_HASH_ITEM *)old, &credtbl, -1); @@ -1279,9 +1285,9 @@ "nis_getprincipal: error doing nis_list: %s", nis_sperrno(res->status)); } else { - if (strlcpy(name, ENTRY_VAL(res->objects.objects_val, 0), 1024) - >= 1024) { - strcpy(name, nobody); /* default is "nobody" */ + if (strlcpy(name, + ENTRY_VAL(res->objects.objects_val, 0), 1024) >= 1024) { + (void) strcpy(name, nobody); /* default is "nobody" */ syslog(LOG_ERR, "nis_getprincipal: buffer overflow, returning '%s'", nobody); nis_freeresult(res);
--- a/usr/src/lib/libnsl/nis/gen/nis_misc_proc.c Thu May 25 02:58:46 2006 -0700 +++ b/usr/src/lib/libnsl/nis/gen/nis_misc_proc.c Thu May 25 07:29:59 2006 -0700 @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -21,7 +20,7 @@ */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -227,8 +226,14 @@ "__nis_auth2princ: error doing nis_list: %s", nis_sperrno(res->status)); } else { - (void) strncpy(name, ENTRY_VAL(res->objects.objects_val, 0), - 1024); + if (strlcpy(name, + ENTRY_VAL(res->objects.objects_val, 0), 1024) >= 1024) { + (void) strcpy(name, nobody); /* default is "nobody" */ + syslog(LOG_ERR, + "__nis_auth2princ: buffer overflow, returning '%s'", nobody); + nis_freeresult(res); + return; + } if (flavor == AUTH_DES) add_cred_item(ad->adc_fullname.name, name); } @@ -689,8 +694,15 @@ "__nis_auth2princ_rpcgss: error doing nis_list: %s", nis_sperrno(res->status)); } else { - (void) strncpy(name, ENTRY_VAL(res->objects.objects_val, 0), - 1024); + if (strlcpy(name, + ENTRY_VAL(res->objects.objects_val, 0), 1024) >= 1024) { + (void) strcpy(name, nobody); /* default is "nobody" */ + syslog(LOG_ERR, + "__nis_auth2princ_rpcgss: buffer overflow, returning '%s'", + nobody); + nis_freeresult(res); + return; + } if (flavor == AUTH_DES || flavor == RPCSEC_GSS) { if (verbose) syslog(LOG_INFO,