summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog38
-rw-r--r--NEWS7
-rw-r--r--nis/nss_compat/compat-grp.c6
-rw-r--r--nis/nss_compat/compat-pwd.c6
-rw-r--r--nis/nss_compat/compat-spwd.c16
-rw-r--r--nss/nss_files/files-XXX.c109
-rw-r--r--nss/nss_files/files-alias.c90
-rw-r--r--nss/nss_files/files-hosts.c35
8 files changed, 122 insertions, 185 deletions
diff --git a/ChangeLog b/ChangeLog
index 8ff45d4ef9..05c23e75b1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,41 @@
+2015-05-11 Andreas Schwab <schwab@suse.de>
+
+ [BZ #18007]
+ * nis/nss_compat/compat-grp.c (internal_endgrent): Don't call
+ nss_endgrent.
+ (_nss_compat_endgrent): Call nss_endgrent.
+ * nis/nss_compat/compat-pwd.c (internal_endpwent): Don't call
+ nss_endpwent.
+ (_nss_compat_endpwent): Call nss_endpwent.
+ * nis/nss_compat/compat-spwd.c (internal_setspent): Add parameter
+ needent, call nss_setspent only if non-zero.
+ (_nss_compat_setspent, _nss_compat_getspent_r): Pass non-zero.
+ (internal_endspent): Don't call nss_endspent.
+ (_nss_compat_endspent): Call nss_endspent.
+ * nss/nss_files/files-XXX.c (position, last_use, keep_stream):
+ Remove. All uses removed.
+ (internal_setent): Remove parameter stayopen, add parameter
+ stream. Use it instead of global variable.
+ (CONCAT(_nss_files_set,ENTNAME)): Pass global stream.
+ (internal_endent, internal_getent): Add parameter stream. Use it
+ instead of global variable.
+ (CONCAT(_nss_files_end,ENTNAME))
+ (CONCAT(_nss_files_get,ENTNAME_r)): Pass global stream.
+ (_nss_files_get##name##_r): Pass local stream. Remove locking.
+ * nss/nss_files/files-alias.c (position, last_use): Remove. All
+ uses removed.
+ (internal_setent, internal_endent): Add parameter stream. Use it
+ instead of global variable.
+ (_nss_files_setaliasent, _nss_files_endaliasent): Pass global
+ stream.
+ (get_next_alias): Add parameter stream.
+ (_nss_files_getaliasent_r): Pass global stream.
+ (_nss_files_getaliasbyname_r): Pass local stream. Remove locking.
+ * nss/nss_files/files-hosts.c (_nss_files_gethostbyname3_r)
+ (_nss_files_gethostbyname4_r): Pass local stream to
+ internal_setent, internal_getent and internal_endent. Remove
+ locking.
+
2015-05-11 Stefan Liebler <stli@linux.vnet.ibm.com>
* tst-strfmon1.c (tests): Update expected currency symbol.
diff --git a/NEWS b/NEWS
index fb4228330a..c1054ccbdb 100644
--- a/NEWS
+++ b/NEWS
@@ -44,10 +44,9 @@ Version 2.22
Hat). These updates cause user visible changes, such as the fix for bug
17998.
-* CVE-2014-8121 The NSS files backend would reset the file pointer used by
- the get*ent functions if any of the query functions for the same database
- are used during the iteration, causing a denial-of-service condition in
- some applications.
+* CVE-2014-8121 The NSS backends shared internal state between the getXXent
+ and getXXbyYY NSS calls for the same database, causing a denial-of-service
+ condition in some applications.
Version 2.21
diff --git a/nis/nss_compat/compat-grp.c b/nis/nss_compat/compat-grp.c
index 5e9c527964..d8ef4be63b 100644
--- a/nis/nss_compat/compat-grp.c
+++ b/nis/nss_compat/compat-grp.c
@@ -194,9 +194,6 @@ _nss_compat_setgrent (int stayopen)
static enum nss_status
internal_endgrent (ent_t *ent)
{
- if (nss_endgrent)
- nss_endgrent ();
-
if (ent->stream != NULL)
{
fclose (ent->stream);
@@ -222,6 +219,9 @@ _nss_compat_endgrent (void)
__libc_lock_lock (lock);
+ if (nss_endgrent)
+ nss_endgrent ();
+
result = internal_endgrent (&ext_ent);
__libc_lock_unlock (lock);
diff --git a/nis/nss_compat/compat-pwd.c b/nis/nss_compat/compat-pwd.c
index e3e3dbb308..9b1d671d17 100644
--- a/nis/nss_compat/compat-pwd.c
+++ b/nis/nss_compat/compat-pwd.c
@@ -311,9 +311,6 @@ _nss_compat_setpwent (int stayopen)
static enum nss_status
internal_endpwent (ent_t *ent)
{
- if (nss_endpwent)
- nss_endpwent ();
-
if (ent->stream != NULL)
{
fclose (ent->stream);
@@ -346,6 +343,9 @@ _nss_compat_endpwent (void)
__libc_lock_lock (lock);
+ if (nss_endpwent)
+ nss_endpwent ();
+
result = internal_endpwent (&ext_ent);
__libc_lock_unlock (lock);
diff --git a/nis/nss_compat/compat-spwd.c b/nis/nss_compat/compat-spwd.c
index 73c2ed3fe0..5e4bf78e47 100644
--- a/nis/nss_compat/compat-spwd.c
+++ b/nis/nss_compat/compat-spwd.c
@@ -169,7 +169,7 @@ copy_spwd_changes (struct spwd *dest, struct spwd *src,
}
static enum nss_status
-internal_setspent (ent_t *ent, int stayopen)
+internal_setspent (ent_t *ent, int stayopen, int needent)
{
enum nss_status status = NSS_STATUS_SUCCESS;
@@ -239,7 +239,7 @@ internal_setspent (ent_t *ent, int stayopen)
give_spwd_free (&ent->pwd);
- if (status == NSS_STATUS_SUCCESS && nss_setspent)
+ if (needent && status == NSS_STATUS_SUCCESS && nss_setspent)
ent->setent_status = nss_setspent (stayopen);
return status;
@@ -256,7 +256,7 @@ _nss_compat_setspent (int stayopen)
if (ni == NULL)
init_nss_interface ();
- result = internal_setspent (&ext_ent, stayopen);
+ result = internal_setspent (&ext_ent, stayopen, 1);
__libc_lock_unlock (lock);
@@ -267,9 +267,6 @@ _nss_compat_setspent (int stayopen)
static enum nss_status
internal_endspent (ent_t *ent)
{
- if (nss_endspent)
- nss_endspent ();
-
if (ent->stream != NULL)
{
fclose (ent->stream);
@@ -303,6 +300,9 @@ _nss_compat_endspent (void)
__libc_lock_lock (lock);
+ if (nss_endspent)
+ nss_endspent ();
+
result = internal_endspent (&ext_ent);
__libc_lock_unlock (lock);
@@ -658,7 +658,7 @@ _nss_compat_getspent_r (struct spwd *pwd, char *buffer, size_t buflen,
init_nss_interface ();
if (ext_ent.stream == NULL)
- result = internal_setspent (&ext_ent, 1);
+ result = internal_setspent (&ext_ent, 1, 1);
if (result == NSS_STATUS_SUCCESS)
result = internal_getspent_r (pwd, &ext_ent, buffer, buflen, errnop);
@@ -830,7 +830,7 @@ _nss_compat_getspnam_r (const char *name, struct spwd *pwd,
__libc_lock_unlock (lock);
- result = internal_setspent (&ent, 0);
+ result = internal_setspent (&ent, 0, 0);
if (result == NSS_STATUS_SUCCESS)
result = internal_getspnam_r (name, pwd, &ent, buffer, buflen, errnop);
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
index a7ce5ea97e..f002f431e5 100644
--- a/nss/nss_files/files-XXX.c
+++ b/nss/nss_files/files-XXX.c
@@ -60,24 +60,23 @@
/* Locks the static variables in this file. */
__libc_lock_define_initialized (static, lock)
-/* Maintenance of the shared stream open on the database file. */
+/* Maintenance of the stream open on the database file. For getXXent
+ operations the stream needs to be held open across calls, the other
+ getXXbyYY operations all use their own stream. */
static FILE *stream;
-static fpos_t position;
-static enum { nouse, getent, getby } last_use;
-static int keep_stream;
/* Open database file if not already opened. */
static enum nss_status
-internal_setent (int stayopen)
+internal_setent (FILE **stream)
{
enum nss_status status = NSS_STATUS_SUCCESS;
- if (stream == NULL)
+ if (*stream == NULL)
{
- stream = fopen (DATAFILE, "rce");
+ *stream = fopen (DATAFILE, "rce");
- if (stream == NULL)
+ if (*stream == NULL)
status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL;
else
{
@@ -90,7 +89,7 @@ internal_setent (int stayopen)
int result;
int flags;
- result = flags = fcntl (fileno (stream), F_GETFD, 0);
+ result = flags = fcntl (fileno (*stream), F_GETFD, 0);
if (result >= 0)
{
# ifdef O_CLOEXEC
@@ -100,15 +99,15 @@ internal_setent (int stayopen)
# endif
{
flags |= FD_CLOEXEC;
- result = fcntl (fileno (stream), F_SETFD, flags);
+ result = fcntl (fileno (*stream), F_SETFD, flags);
}
}
if (result < 0)
{
/* Something went wrong. Close the stream and return a
failure. */
- fclose (stream);
- stream = NULL;
+ fclose (*stream);
+ *stream = NULL;
status = NSS_STATUS_UNAVAIL;
}
}
@@ -116,11 +115,7 @@ internal_setent (int stayopen)
}
}
else
- rewind (stream);
-
- /* Remember STAYOPEN flag. */
- if (stream != NULL)
- keep_stream |= stayopen;
+ rewind (*stream);
return status;
}
@@ -134,16 +129,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
__libc_lock_lock (lock);
- status = internal_setent (1);
-
- if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
- {
- fclose (stream);
- stream = NULL;
- status = NSS_STATUS_UNAVAIL;
- }
-
- last_use = getent;
+ status = internal_setent (&stream);
__libc_lock_unlock (lock);
@@ -153,12 +139,12 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
/* Close the database file. */
static void
-internal_endent (void)
+internal_endent (FILE **stream)
{
- if (stream != NULL)
+ if (*stream != NULL)
{
- fclose (stream);
- stream = NULL;
+ fclose (*stream);
+ *stream = NULL;
}
}
@@ -169,10 +155,7 @@ CONCAT(_nss_files_end,ENTNAME) (void)
{
__libc_lock_lock (lock);
- internal_endent ();
-
- /* Reset STAYOPEN flag. */
- keep_stream = 0;
+ internal_endent (&stream);
__libc_lock_unlock (lock);
@@ -227,7 +210,7 @@ get_contents (char *linebuf, size_t len, FILE *stream)
/* Parsing the database file into `struct STRUCTURE' data structures. */
static enum nss_status
-internal_getent (struct STRUCTURE *result,
+internal_getent (FILE *stream, struct STRUCTURE *result,
char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
EXTRA_ARGS_DECL)
{
@@ -300,45 +283,14 @@ CONCAT(_nss_files_get,ENTNAME_r) (struct STRUCTURE *result, char *buffer,
{
int save_errno = errno;
- status = internal_setent (0);
+ status = internal_setent (&stream);
__set_errno (save_errno);
-
- if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
- {
- fclose (stream);
- stream = NULL;
- status = NSS_STATUS_UNAVAIL;
- }
}
if (status == NSS_STATUS_SUCCESS)
- {
- /* If the last use was not by the getent function we need the
- position the stream. */
- if (last_use != getent)
- {
- if (fsetpos (stream, &position) < 0)
- status = NSS_STATUS_UNAVAIL;
- else
- last_use = getent;
- }
-
- if (status == NSS_STATUS_SUCCESS)
- {
- status = internal_getent (result, buffer, buflen, errnop
- H_ERRNO_ARG EXTRA_ARGS_VALUE);
-
- /* Remember this position if we were successful. If the
- operation failed we give the user a chance to repeat the
- operation (perhaps the buffer was too small). */
- if (status == NSS_STATUS_SUCCESS)
- fgetpos (stream, &position);
- else
- /* We must make sure we reposition the stream the next call. */
- last_use = nouse;
- }
- }
+ status = internal_getent (stream, result, buffer, buflen, errnop
+ H_ERRNO_ARG EXTRA_ARGS_VALUE);
__libc_lock_unlock (lock);
@@ -364,27 +316,20 @@ _nss_files_get##name##_r (proto, \
size_t buflen, int *errnop H_ERRNO_PROTO) \
{ \
enum nss_status status; \
+ FILE *stream = NULL; \
\
- __libc_lock_lock (lock); \
- \
- /* Reset file pointer to beginning or open file. */ \
- status = internal_setent (keep_stream); \
+ /* Open file. */ \
+ status = internal_setent (&stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{ \
- /* Tell getent function that we have repositioned the file pointer. */ \
- last_use = getby; \
- \
- while ((status = internal_getent (result, buffer, buflen, errnop \
+ while ((status = internal_getent (stream, result, buffer, buflen, errnop \
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
- if (! keep_stream) \
- internal_endent (); \
+ internal_endent (&stream); \
} \
\
- __libc_lock_unlock (lock); \
- \
return status; \
}
diff --git a/nss/nss_files/files-alias.c b/nss/nss_files/files-alias.c
index d5c5089e2e..071c01d158 100644
--- a/nss/nss_files/files-alias.c
+++ b/nss/nss_files/files-alias.c
@@ -33,23 +33,23 @@
/* Locks the static variables in this file. */
__libc_lock_define_initialized (static, lock)
-/* Maintenance of the shared stream open on the database file. */
+/* Maintenance of the stream open on the database file. For getXXent
+ operations the stream needs to be held open across calls, the other
+ getXXbyYY operations all use their own stream. */
static FILE *stream;
-static fpos_t position;
-static enum { nouse, getent, getby } last_use;
static enum nss_status
-internal_setent (void)
+internal_setent (FILE **stream)
{
enum nss_status status = NSS_STATUS_SUCCESS;
- if (stream == NULL)
+ if (*stream == NULL)
{
- stream = fopen ("/etc/aliases", "rce");
+ *stream = fopen ("/etc/aliases", "rce");
- if (stream == NULL)
+ if (*stream == NULL)
status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL;
else
{
@@ -62,7 +62,7 @@ internal_setent (void)
int result;
int flags;
- result = flags = fcntl (fileno (stream), F_GETFD, 0);
+ result = flags = fcntl (fileno (*stream), F_GETFD, 0);
if (result >= 0)
{
# ifdef O_CLOEXEC
@@ -72,14 +72,14 @@ internal_setent (void)
# endif
{
flags |= FD_CLOEXEC;
- result = fcntl (fileno (stream), F_SETFD, flags);
+ result = fcntl (fileno (*stream), F_SETFD, flags);
}
}
if (result < 0)
{
/* Something went wrong. Close the stream and return a
failure. */
- fclose (stream);
+ fclose (*stream);
stream = NULL;
status = NSS_STATUS_UNAVAIL;
}
@@ -88,7 +88,7 @@ internal_setent (void)
}
}
else
- rewind (stream);
+ rewind (*stream);
return status;
}
@@ -102,16 +102,7 @@ _nss_files_setaliasent (void)
__libc_lock_lock (lock);
- status = internal_setent ();
-
- if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
- {
- fclose (stream);
- stream = NULL;
- status = NSS_STATUS_UNAVAIL;
- }
-
- last_use = getent;
+ status = internal_setent (&stream);
__libc_lock_unlock (lock);
@@ -121,12 +112,12 @@ _nss_files_setaliasent (void)
/* Close the database file. */
static void
-internal_endent (void)
+internal_endent (FILE **stream)
{
- if (stream != NULL)
+ if (*stream != NULL)
{
- fclose (stream);
- stream = NULL;
+ fclose (*stream);
+ *stream = NULL;
}
}
@@ -137,7 +128,7 @@ _nss_files_endaliasent (void)
{
__libc_lock_lock (lock);
- internal_endent ();
+ internal_endent (&stream);
__libc_lock_unlock (lock);
@@ -146,7 +137,7 @@ _nss_files_endaliasent (void)
/* Parsing the database file into `struct aliasent' data structures. */
static enum nss_status
-get_next_alias (const char *match, struct aliasent *result,
+get_next_alias (FILE *stream, const char *match, struct aliasent *result,
char *buffer, size_t buflen, int *errnop)
{
enum nss_status status = NSS_STATUS_NOTFOUND;
@@ -397,35 +388,16 @@ _nss_files_getaliasent_r (struct aliasent *result, char *buffer, size_t buflen,
/* Be prepared that the set*ent function was not called before. */
if (stream == NULL)
- status = internal_setent ();
+ status = internal_setent (&stream);
if (status == NSS_STATUS_SUCCESS)
{
- /* If the last use was not by the getent function we need the
- position the stream. */
- if (last_use != getent)
- {
- if (fsetpos (stream, &position) < 0)
- status = NSS_STATUS_UNAVAIL;
- else
- last_use = getent;
- }
+ result->alias_local = 1;
- if (status == NSS_STATUS_SUCCESS)
- {
- result->alias_local = 1;
-
- /* Read lines until we get a definite result. */
- do
- status = get_next_alias (NULL, result, buffer, buflen, errnop);
- while (status == NSS_STATUS_RETURN);
-
- /* If we successfully read an entry remember this position. */
- if (status == NSS_STATUS_SUCCESS)
- fgetpos (stream, &position);
- else
- last_use = nouse;
- }
+ /* Read lines until we get a definite result. */
+ do
+ status = get_next_alias (stream, NULL, result, buffer, buflen, errnop);
+ while (status == NSS_STATUS_RETURN);
}
__libc_lock_unlock (lock);
@@ -440,6 +412,7 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
{
/* Return next entry in host file. */
enum nss_status status = NSS_STATUS_SUCCESS;
+ FILE *stream = NULL;
if (name == NULL)
{
@@ -447,11 +420,8 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
return NSS_STATUS_UNAVAIL;
}
- __libc_lock_lock (lock);
-
- /* Open the stream or rest it. */
- status = internal_setent ();
- last_use = getby;
+ /* Open the stream. */
+ status = internal_setent (&stream);
if (status == NSS_STATUS_SUCCESS)
{
@@ -459,13 +429,11 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
/* Read lines until we get a definite result. */
do
- status = get_next_alias (name, result, buffer, buflen, errnop);
+ status = get_next_alias (stream, name, result, buffer, buflen, errnop);
while (status == NSS_STATUS_RETURN);
}
- internal_endent ();
-
- __libc_lock_unlock (lock);
+ internal_endent (&stream);
return status;
}
diff --git a/nss/nss_files/files-hosts.c b/nss/nss_files/files-hosts.c
index 4c51c90b4a..4117458c92 100644
--- a/nss/nss_files/files-hosts.c
+++ b/nss/nss_files/files-hosts.c
@@ -120,14 +120,13 @@ _nss_files_gethostbyname3_r (const char *name, int af, struct hostent *result,
char *buffer, size_t buflen, int *errnop,
int *herrnop, int32_t *ttlp, char **canonp)
{
+ FILE *stream = NULL;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct hostent_data);
buffer += pad;
buflen = buflen > pad ? buflen - pad : 0;
- __libc_lock_lock (lock);
-
- /* Reset file pointer to beginning or open file. */
- enum nss_status status = internal_setent (keep_stream);
+ /* Open file. */
+ enum nss_status status = internal_setent (&stream);
if (status == NSS_STATUS_SUCCESS)
{
@@ -135,10 +134,7 @@ _nss_files_gethostbyname3_r (const char *name, int af, struct hostent *result,
addresses to IPv6 addresses really the right thing to do? */
int flags = ((_res.options & RES_USE_INET6) ? AI_V4MAPPED : 0);
- /* Tell getent function that we have repositioned the file pointer. */
- last_use = getby;
-
- while ((status = internal_getent (result, buffer, buflen, errnop,
+ while ((status = internal_getent (stream, result, buffer, buflen, errnop,
herrnop, af, flags))
== NSS_STATUS_SUCCESS)
{
@@ -165,7 +161,7 @@ _nss_files_gethostbyname3_r (const char *name, int af, struct hostent *result,
bufferend = (char *) &result->h_aliases[naliases + 1];
again:
- while ((status = internal_getent (&tmp_result_buf, tmp_buffer,
+ while ((status = internal_getent (stream, &tmp_result_buf, tmp_buffer,
tmp_buflen, errnop, herrnop, af,
flags))
== NSS_STATUS_SUCCESS)
@@ -341,15 +337,12 @@ _nss_files_gethostbyname3_r (const char *name, int af, struct hostent *result,
free (tmp_buffer);
}
- if (! keep_stream)
- internal_endent ();
+ internal_endent (&stream);
}
if (canonp && status == NSS_STATUS_SUCCESS)
*canonp = result->h_name;
- __libc_lock_unlock (lock);
-
return status;
}
@@ -378,16 +371,13 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
char *buffer, size_t buflen, int *errnop,
int *herrnop, int32_t *ttlp)
{
- __libc_lock_lock (lock);
+ FILE *stream = NULL;
- /* Reset file pointer to beginning or open file. */
- enum nss_status status = internal_setent (keep_stream);
+ /* Open file. */
+ enum nss_status status = internal_setent (&stream);
if (status == NSS_STATUS_SUCCESS)
{
- /* Tell getent function that we have repositioned the file pointer. */
- last_use = getby;
-
bool any = false;
bool got_canon = false;
while (1)
@@ -399,7 +389,7 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
buflen = buflen > pad ? buflen - pad : 0;
struct hostent result;
- status = internal_getent (&result, buffer, buflen, errnop,
+ status = internal_getent (stream, &result, buffer, buflen, errnop,
herrnop, AF_UNSPEC, 0);
if (status != NSS_STATUS_SUCCESS)
break;
@@ -475,8 +465,7 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
status = NSS_STATUS_SUCCESS;
}
- if (! keep_stream)
- internal_endent ();
+ internal_endent (&stream);
}
else if (status == NSS_STATUS_TRYAGAIN)
{
@@ -489,7 +478,5 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
*herrnop = NO_DATA;
}
- __libc_lock_unlock (lock);
-
return status;
}