Date: Mon, 4 Sep 2006 16:32:08 +0200 (CEST) From: Thomas Quinot <thomas@cuivre.fr.eu.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/102848: Malformed line in master.passwd causes libutil's pw_copy to crash Message-ID: <20060904143208.5985D5C44B@melamine.cuivre.fr.eu.org> Resent-Message-ID: <200609041440.k84EeQNW018155@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 102848
>Category: bin
>Synopsis: Malformed line in master.passwd causes libutil's pw_copy to crash
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 04 14:40:20 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Thomas Quinot
>Release: FreeBSD 6.1-RC i386
>Organization:
>Environment:
System: FreeBSD melamine.cuivre.fr.eu.org 6.1-RC FreeBSD 6.1-RC #0: Thu May 4 13:21:21 CEST 2006 thomas@melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/MELAMINE i386
>Description:
pw_copy is a libutil subprogram that copies master.passwd and replaces
or adds a single entry. It is used, among others, by rpc.yppasswdd, to
update master.passwd for a single user.
When a malformed line is encountered in master.passwd, this function
causes a null pointer dereference instead of silently copying the malformed
line to the output FD. In the case of rpc.yppasswdd, this causes the daemon
to abort if a password change is attempted for an entry located after the
malformed one.
>How-To-Repeat:
Add a malformed entry (wrong number of fields) to master.passwd
on a NIS server.
Use rpc.yppasswdd to attempt to change the password of an entry
located after the faulty one.
Observe that rpc.yppasswdd dies on a segfault and that master.passwd
is left unmodified.
>Fix:
Index: pw_util.c
===================================================================
RCS file: /space/mirror/ncvs/src/lib/libutil/pw_util.c,v
retrieving revision 1.35
diff -u -r1.35 pw_util.c
--- pw_util.c 18 May 2004 15:53:58 -0000 1.35
+++ pw_util.c 4 Sep 2006 10:43:53 -0000
@@ -481,13 +481,22 @@
}
/* is it the one we're looking for? */
+
t = *q;
*q = '\0';
+
fpw = pw_scan(r, PWSCAN_MASTER);
+
+ /*
+ * fpw is either the struct password for the current line,
+ * or NULL if the line is malformed.
+ */
+
*q = t;
- if (strcmp(fpw->pw_name, pw->pw_name) != 0) {
+ if (fpw == NULL || strcmp(fpw->pw_name, pw->pw_name) != 0) {
/* nope */
- free(fpw);
+ if (fpw != NULL)
+ free(fpw);
if (write(tfd, p, q - p + 1) != q - p + 1)
goto err;
++q;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060904143208.5985D5C44B>