File nss-nis-stack-use.patch of Package glibc.i686
2014-05-12 Andreas Schwab <schwab@suse.de>
[BZ #16932]
* nis/nss_nis/nis-hosts.c (internal_gethostbyname2_r)
(_nss_nis_gethostbyname4_r): Return error if item length is larger
than maximum RPC packet size.
* nis/nss_nis/nis-initgroups.c (initgroups_netid): Likewise.
* nis/nss_nis/nis-network.c (_nss_nis_getnetbyname_r): Likewise.
* nis/nss_nis/nis-service.c (_nss_nis_getservbyname_r)
(_nss_nis_getservbyport_r): Likewise.
Index: glibc-2.19/nis/nss_nis/nis-hosts.c
===================================================================
--- glibc-2.19.orig/nis/nss_nis/nis-hosts.c
+++ glibc-2.19/nis/nss_nis/nis-hosts.c
@@ -270,6 +270,13 @@ internal_gethostbyname2_r (const char *n
/* Convert name to lowercase. */
size_t namlen = strlen (name);
+ /* Limit name length to the maximum size of an RPC packet. */
+ if (namlen > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
char name2[namlen + 1];
size_t i;
@@ -461,6 +468,13 @@ _nss_nis_gethostbyname4_r (const char *n
/* Convert name to lowercase. */
size_t namlen = strlen (name);
+ /* Limit name length to the maximum size of an RPC packet. */
+ if (namlen > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
char name2[namlen + 1];
size_t i;
Index: glibc-2.19/nis/nss_nis/nis-initgroups.c
===================================================================
--- glibc-2.19.orig/nis/nss_nis/nis-initgroups.c
+++ glibc-2.19/nis/nss_nis/nis-initgroups.c
@@ -150,6 +150,13 @@ initgroups_netid (uid_t uid, gid_t group
gid_t **groupsp, long int limit, int *errnop,
const char *domainname)
{
+ /* Limit domainname length to the maximum size of an RPC packet. */
+ if (strlen (domainname) > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
/* Prepare the key. The form is "unix.UID@DOMAIN" with the UID and
DOMAIN field filled in appropriately. */
char key[sizeof ("unix.@") + sizeof (uid_t) * 3 + strlen (domainname)];
Index: glibc-2.19/nis/nss_nis/nis-network.c
===================================================================
--- glibc-2.19.orig/nis/nss_nis/nis-network.c
+++ glibc-2.19/nis/nss_nis/nis-network.c
@@ -179,6 +179,13 @@ _nss_nis_getnetbyname_r (const char *nam
/* Convert name to lowercase. */
size_t namlen = strlen (name);
+ /* Limit name length to the maximum size of an RPC packet. */
+ if (namlen > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
char name2[namlen + 1];
size_t i;
Index: glibc-2.19/nis/nss_nis/nis-service.c
===================================================================
--- glibc-2.19.orig/nis/nss_nis/nis-service.c
+++ glibc-2.19/nis/nss_nis/nis-service.c
@@ -271,6 +271,13 @@ _nss_nis_getservbyname_r (const char *na
/* If the protocol is given, we could try if our NIS server knows
about services.byservicename map. If yes, we only need one query. */
size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
+ /* Limit key length to the maximum size of an RPC packet. */
+ if (keylen > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
char key[keylen + 1];
/* key is: "name/proto" */
@@ -355,6 +362,13 @@ _nss_nis_getservbyport_r (int port, cons
Otherwise try first port/tcp, then port/udp and then fallback
to sequential scanning of services.byname. */
const char *proto = protocol != NULL ? protocol : "tcp";
+ /* Limit protocol name length to the maximum size of an RPC packet. */
+ if (strlen (proto) > UDPMSGSIZE)
+ {
+ *errnop = ERANGE;
+ return NSS_STATUS_UNAVAIL;
+ }
+
do
{
/* key is: "port/proto" */
