2e9afc
commit 977f4b31b7ca4a4e498c397f3fd70510694bbd86
2e9afc
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
2e9afc
Date:   Wed Oct 30 16:13:37 2013 +0530
2e9afc
2e9afc
    Fix reads for sizes larger than INT_MAX in AF_INET lookup
2e9afc
    
2e9afc
    Currently for AF_INET lookups from the hosts file, buffer sizes larger
2e9afc
    than INT_MAX silently overflow and may result in access beyond bounds
2e9afc
    of a buffer.  This happens when the number of results in an AF_INET
2e9afc
    lookup in /etc/hosts are very large.
2e9afc
    
2e9afc
    There are two aspects to the problem.  One problem is that the size
2e9afc
    computed from the buffer size is stored into an int, which results in
2e9afc
    overflow for large sizes.  Additionally, even if this size was
2e9afc
    expanded, the function used to read content into the buffer (fgets)
2e9afc
    accepts only int sizes.  As a result, the fix is to have a function
2e9afc
    wrap around fgets that calls it multiple times with int sizes if
2e9afc
    necessary.
2e9afc
2e9afc
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
2e9afc
index 082d1ea..b62208c 100644
2e9afc
--- a/nss/nss_files/files-XXX.c
2e9afc
+++ b/nss/nss_files/files-XXX.c
2e9afc
@@ -179,8 +179,51 @@ CONCAT(_nss_files_end,ENTNAME) (void)
2e9afc
   return NSS_STATUS_SUCCESS;
2e9afc
 }
2e9afc
 
2e9afc
-/* Parsing the database file into `struct STRUCTURE' data structures.  */
2e9afc
 
2e9afc
+typedef enum
2e9afc
+{
2e9afc
+  gcr_ok = 0,
2e9afc
+  gcr_error = -1,
2e9afc
+  gcr_overflow = -2
2e9afc
+} get_contents_ret;
2e9afc
+
2e9afc
+/* Hack around the fact that fgets only accepts int sizes.  */
2e9afc
+static get_contents_ret
2e9afc
+get_contents (char *linebuf, size_t len, FILE *stream)
2e9afc
+{
2e9afc
+  size_t remaining_len = len;
2e9afc
+  char *curbuf = linebuf;
2e9afc
+
2e9afc
+  do
2e9afc
+    {
2e9afc
+      int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
2e9afc
+		    : remaining_len);
2e9afc
+      char *p = fgets_unlocked (curbuf, curlen, stream);
2e9afc
+
2e9afc
+      ((unsigned char *) curbuf)[curlen - 1] = 0xff;
2e9afc
+
2e9afc
+      /* EOF or read error.  */
2e9afc
+      if (p == NULL)
2e9afc
+        return gcr_error;
2e9afc
+
2e9afc
+      /* Done reading in the line.  */
2e9afc
+      if (((unsigned char *) curbuf)[curlen - 1] == 0xff)
2e9afc
+        return gcr_ok;
2e9afc
+
2e9afc
+      /* Drop the terminating '\0'.  */
2e9afc
+      remaining_len -= curlen - 1;
2e9afc
+      curbuf += curlen - 1;
2e9afc
+    }
2e9afc
+  /* fgets copies one less than the input length.  Our last iteration is of
2e9afc
+     REMAINING_LEN and once that is done, REMAINING_LEN is decremented by
2e9afc
+     REMAINING_LEN - 1, leaving the result as 1.  */
2e9afc
+  while (remaining_len > 1);
2e9afc
+
2e9afc
+  /* This means that the current buffer was not large enough.  */
2e9afc
+  return gcr_overflow;
2e9afc
+}
2e9afc
+
2e9afc
+/* Parsing the database file into `struct STRUCTURE' data structures.  */
2e9afc
 static enum nss_status
2e9afc
 internal_getent (struct STRUCTURE *result,
2e9afc
 		 char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
2e9afc
@@ -188,7 +231,7 @@ internal_getent (struct STRUCTURE *result,
2e9afc
 {
2e9afc
   char *p;
2e9afc
   struct parser_data *data = (void *) buffer;
2e9afc
-  int linebuflen = buffer + buflen - data->linebuffer;
2e9afc
+  size_t linebuflen = buffer + buflen - data->linebuffer;
2e9afc
   int parse_result;
2e9afc
 
2e9afc
   if (buflen < sizeof *data + 2)
2e9afc
@@ -200,17 +243,16 @@ internal_getent (struct STRUCTURE *result,
2e9afc
 
2e9afc
   do
2e9afc
     {
2e9afc
-      /* Terminate the line so that we can test for overflow.  */
2e9afc
-      ((unsigned char *) data->linebuffer)[linebuflen - 1] = '\xff';
2e9afc
+      get_contents_ret r = get_contents (data->linebuffer, linebuflen, stream);
2e9afc
 
2e9afc
-      p = fgets_unlocked (data->linebuffer, linebuflen, stream);
2e9afc
-      if (p == NULL)
2e9afc
+      if (r == gcr_error)
2e9afc
 	{
2e9afc
 	  /* End of file or read error.  */
2e9afc
 	  H_ERRNO_SET (HOST_NOT_FOUND);
2e9afc
 	  return NSS_STATUS_NOTFOUND;
2e9afc
 	}
2e9afc
-      else if (((unsigned char *) data->linebuffer)[linebuflen - 1] != 0xff)
2e9afc
+
2e9afc
+      if (r == gcr_overflow)
2e9afc
 	{
2e9afc
 	  /* The line is too long.  Give the user the opportunity to
2e9afc
 	     enlarge the buffer.  */
2e9afc
@@ -219,7 +261,8 @@ internal_getent (struct STRUCTURE *result,
2e9afc
 	  return NSS_STATUS_TRYAGAIN;
2e9afc
 	}
2e9afc
 
2e9afc
-      /* Skip leading blanks.  */
2e9afc
+      /* Everything OK.  Now skip leading blanks.  */
2e9afc
+      p = data->linebuffer;
2e9afc
       while (isspace (*p))
2e9afc
 	++p;
2e9afc
     }