On Fri, 2011-11-18 at 15:08 +0100, Arthur de Jong wrote: > I would like to upload a new release of nss-pam-ldapd for squeeze that > fixes a bugs that apparently locks some users out of their system. The > bug itself is not a regression in 0.7.15 but it is triggered in some > cases by the stable update. The bug is #645599. > > I think there is a similar bug in nslcd although the changes of it > showing up in normal cases is a lot slimmer than in the above bug and > the changes required are much bigger. I will try to get that fixed in > unstable first for a while (it is really tricky to support both > preseeding and properly picking up current configuration in debconf). I have two more small changes that I would like to push in an update (along with the issue above). The diff for both should be obvious and simple. The first is an issue with some not-initialised variables to fix an issue with detecting the uid of the calling process. The problem itself should only occur when looking up the uid failed for some reason. The second is typo which shouldn't cause many problems in usual cases. These two changes along with the previous change are in an updated attached nss-pam-ldapd-0.7.15-0.7.16.debdiff. I'm also considering another fix that correctly handles overflows in numeric values in the LDAP directory correctly. Redhat is using this patch for some time now but it is a bit more invasive than the other changes so I'd like your input on this. Details of this change are in nss-pam-ldapd-0.7-fix-range-checking.patch. Thanks, -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-pam-ldapd-0.7.15/ChangeLog nss-pam-ldapd-0.7.16/ChangeLog
--- nss-pam-ldapd-0.7.15/ChangeLog 2011-10-02 11:10:27.000000000 +0200
+++ nss-pam-ldapd-0.7.16/ChangeLog 2011-12-27 11:47:09.000000000 +0100
@@ -1,3 +1,29 @@
+2011-12-09 13:58 arthur
+
+ * [r1562] config.guess, config.sub: revert changes to config.guess
+ config.sub that were accidentaly part of r1561
+
+2011-12-09 13:54 arthur
+
+ * [r1561] ., config.guess, config.sub, nslcd/myldap.c: fix a typo
+ in disconnect logic (r1560 from 0.8 branch)
+
+2011-12-08 21:34 arthur
+
+ * [r1559] nslcd/nslcd.c: properly ensure that uid, gid and pid vars
+ are properly initialised (part of r1558 from trunk)
+
+2011-11-18 13:02 arthur
+
+ * [r1555] debian/libnss-ldapd.config: fix an issues where changes
+ to /etc/nsswitch.conf outside of debconf were not picked up
+
+2011-10-02 09:47 arthur
+
+ * [r1549] ChangeLog, NEWS, configure.ac, debian/changelog,
+ man/nslcd.8.xml, man/nslcd.conf.5.xml, man/pam_ldap.8.xml: get
+ files ready for 0.7.15 release
+
2011-10-02 09:09 arthur
* [r1548] ., debian/nslcd.config: treat the "hard" value for
diff -Nru nss-pam-ldapd-0.7.15/configure nss-pam-ldapd-0.7.16/configure
--- nss-pam-ldapd-0.7.15/configure 2011-10-02 11:35:15.000000000 +0200
+++ nss-pam-ldapd-0.7.16/configure 2011-12-27 12:24:35.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for nss-pam-ldapd 0.7.15.
+# Generated by GNU Autoconf 2.67 for nss-pam-ldapd 0.7.16.
#
# Report bugs to <nss-pam-ldapd-users@lists.arthurdejong.org>.
#
@@ -562,8 +562,8 @@
# Identity of this package.
PACKAGE_NAME='nss-pam-ldapd'
PACKAGE_TARNAME='nss-pam-ldapd'
-PACKAGE_VERSION='0.7.15'
-PACKAGE_STRING='nss-pam-ldapd 0.7.15'
+PACKAGE_VERSION='0.7.16'
+PACKAGE_STRING='nss-pam-ldapd 0.7.16'
PACKAGE_BUGREPORT='nss-pam-ldapd-users@lists.arthurdejong.org'
PACKAGE_URL=''
@@ -1300,7 +1300,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures nss-pam-ldapd 0.7.15 to adapt to many kinds of systems.
+\`configure' configures nss-pam-ldapd 0.7.16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1371,7 +1371,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of nss-pam-ldapd 0.7.15:";;
+ short | recursive ) echo "Configuration of nss-pam-ldapd 0.7.16:";;
esac
cat <<\_ACEOF
@@ -1485,7 +1485,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-nss-pam-ldapd configure 0.7.15
+nss-pam-ldapd configure 0.7.16
generated by GNU Autoconf 2.67
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2045,7 +2045,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by nss-pam-ldapd $as_me 0.7.15, which was
+It was created by nss-pam-ldapd $as_me 0.7.16, which was
generated by GNU Autoconf 2.67. Invocation command line was
$ $0 $@
@@ -2393,7 +2393,7 @@
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-RELEASE_MONTH="Oct 2011"
+RELEASE_MONTH="Dec 2011"
@@ -2541,8 +2541,8 @@
# display notice and initialize automake
-{ $as_echo "$as_me:${as_lineno-$LINENO}: configuring nss-pam-ldapd 0.7.15" >&5
-$as_echo "$as_me: configuring nss-pam-ldapd 0.7.15" >&6;}
+{ $as_echo "$as_me:${as_lineno-$LINENO}: configuring nss-pam-ldapd 0.7.16" >&5
+$as_echo "$as_me: configuring nss-pam-ldapd 0.7.16" >&6;}
am__api_version='1.11'
# Find a good install program. We prefer a C program (faster),
@@ -2981,7 +2981,7 @@
# Define the identity of the package.
PACKAGE=nss-pam-ldapd
- VERSION=0.7.15
+ VERSION=0.7.16
cat >>confdefs.h <<_ACEOF
@@ -8241,7 +8241,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by nss-pam-ldapd $as_me 0.7.15, which was
+This file was extended by nss-pam-ldapd $as_me 0.7.16, which was
generated by GNU Autoconf 2.67. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -8307,7 +8307,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-nss-pam-ldapd config.status 0.7.15
+nss-pam-ldapd config.status 0.7.16
configured by $0, generated by GNU Autoconf 2.67,
with options \\"\$ac_cs_config\\"
diff -Nru nss-pam-ldapd-0.7.15/configure.ac nss-pam-ldapd-0.7.16/configure.ac
--- nss-pam-ldapd-0.7.15/configure.ac 2011-10-02 11:35:06.000000000 +0200
+++ nss-pam-ldapd-0.7.16/configure.ac 2011-12-08 22:34:53.000000000 +0100
@@ -32,8 +32,8 @@
configure.ac file for more details.])
# initialize and set version and bugreport address
-AC_INIT([nss-pam-ldapd],[0.7.15],[nss-pam-ldapd-users@lists.arthurdejong.org])
-RELEASE_MONTH="Oct 2011"
+AC_INIT([nss-pam-ldapd],[0.7.16],[nss-pam-ldapd-users@lists.arthurdejong.org])
+RELEASE_MONTH="Dec 2011"
AC_SUBST(RELEASE_MONTH)
AC_CONFIG_SRCDIR([nslcd.h])
diff -Nru nss-pam-ldapd-0.7.15/debian/changelog nss-pam-ldapd-0.7.16/debian/changelog
--- nss-pam-ldapd-0.7.15/debian/changelog 2011-10-02 11:14:58.000000000 +0200
+++ nss-pam-ldapd-0.7.16/debian/changelog 2011-12-27 11:48:14.000000000 +0100
@@ -1,3 +1,13 @@
+nss-pam-ldapd (0.7.16) stable; urgency=low
+
+ * fix an issue where changes in /etc/nsswitch.conf were not correctly
+ picked up and could lead to lookups being disabled on upgrade
+ (closes: #645599)
+ * fix an issue with detecting the uid of the calling process
+ * fix a problem in the disconnect logic code
+
+ -- Arthur de Jong <adejong@debian.org> Fri, 18 Nov 2011 14:03:11 +0100
+
nss-pam-ldapd (0.7.15) stable; urgency=low
* in debconf, treat the "hard" value for tls_reqcert as if it was "demand"
diff -Nru nss-pam-ldapd-0.7.15/debian/libnss-ldapd.config nss-pam-ldapd-0.7.16/debian/libnss-ldapd.config
--- nss-pam-ldapd-0.7.15/debian/libnss-ldapd.config 2010-09-24 09:07:12.000000000 +0200
+++ nss-pam-ldapd-0.7.16/debian/libnss-ldapd.config 2011-11-18 13:55:43.000000000 +0100
@@ -14,11 +14,9 @@
#
# parse /etc/nsswitch.conf and see which services have ldap specified
-db_get libnss-ldapd/nsswitch
-if [ -z "$RET" ]
+configured=`sed -n 's/^\([a-z]*\):.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p' /etc/nsswitch.conf`
+if [ -n "$configured" ]
then
- # find name services that currently use LDAP
- configured=`sed -n 's/^\([a-z]*\):.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p' /etc/nsswitch.conf`
# separate by commas
configured=`echo $configured | sed 's/ /, /g'`
# store configured services
diff -Nru nss-pam-ldapd-0.7.15/man/nslcd.8 nss-pam-ldapd-0.7.16/man/nslcd.8
--- nss-pam-ldapd-0.7.15/man/nslcd.8 2011-10-01 00:23:12.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/nslcd.8 2011-12-27 11:53:12.000000000 +0100
@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
-.TH nslcd 8 "Oct 2011" "Version 0.7.15" "System Manager's Manual"
+.TH nslcd 8 "Dec 2011" "Version 0.7.16" "System Manager's Manual"
.SH NAME
nslcd \- local LDAP name service daemon.
.SH SYNOPSIS
diff -Nru nss-pam-ldapd-0.7.15/man/nslcd.8.xml nss-pam-ldapd-0.7.16/man/nslcd.8.xml
--- nss-pam-ldapd-0.7.15/man/nslcd.8.xml 2011-10-01 00:21:28.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/nslcd.8.xml 2011-12-08 22:35:07.000000000 +0100
@@ -36,9 +36,9 @@
<refmeta>
<refentrytitle>nslcd</refentrytitle>
<manvolnum>8</manvolnum>
- <refmiscinfo class="version">Version 0.7.15</refmiscinfo>
+ <refmiscinfo class="version">Version 0.7.16</refmiscinfo>
<refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
- <refmiscinfo class="date">Oct 2011</refmiscinfo>
+ <refmiscinfo class="date">Dec 2011</refmiscinfo>
</refmeta>
<refnamediv id="name">
diff -Nru nss-pam-ldapd-0.7.15/man/nslcd.conf.5 nss-pam-ldapd-0.7.16/man/nslcd.conf.5
--- nss-pam-ldapd-0.7.15/man/nslcd.conf.5 2011-10-01 00:23:12.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/nslcd.conf.5 2011-12-27 11:53:11.000000000 +0100
@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
-.TH nslcd.conf 5 "Oct 2011" "Version 0.7.15" "System Manager's Manual"
+.TH nslcd.conf 5 "Dec 2011" "Version 0.7.16" "System Manager's Manual"
.SH NAME
nslcd.conf \- configuration file for LDAP nameservice daemon
.SH DESCRIPTION
diff -Nru nss-pam-ldapd-0.7.15/man/nslcd.conf.5.xml nss-pam-ldapd-0.7.16/man/nslcd.conf.5.xml
--- nss-pam-ldapd-0.7.15/man/nslcd.conf.5.xml 2011-10-01 00:21:21.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/nslcd.conf.5.xml 2011-12-08 22:35:05.000000000 +0100
@@ -36,9 +36,9 @@
<refmeta>
<refentrytitle>nslcd.conf</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo class="version">Version 0.7.15</refmiscinfo>
+ <refmiscinfo class="version">Version 0.7.16</refmiscinfo>
<refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
- <refmiscinfo class="date">Oct 2011</refmiscinfo>
+ <refmiscinfo class="date">Dec 2011</refmiscinfo>
</refmeta>
<refnamediv id="name">
diff -Nru nss-pam-ldapd-0.7.15/man/pam_ldap.8 nss-pam-ldapd-0.7.16/man/pam_ldap.8
--- nss-pam-ldapd-0.7.15/man/pam_ldap.8 2011-10-01 00:23:12.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/pam_ldap.8 2011-12-27 11:53:12.000000000 +0100
@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
-.TH pam_ldap 8 "Oct 2011" "Version 0.7.15" "System Manager's Manual"
+.TH pam_ldap 8 "Dec 2011" "Version 0.7.16" "System Manager's Manual"
.SH NAME
pam_ldap \- PAM module for LDAP-based authentication
.SH SYNOPSIS
diff -Nru nss-pam-ldapd-0.7.15/man/pam_ldap.8.xml nss-pam-ldapd-0.7.16/man/pam_ldap.8.xml
--- nss-pam-ldapd-0.7.15/man/pam_ldap.8.xml 2011-10-01 00:21:12.000000000 +0200
+++ nss-pam-ldapd-0.7.16/man/pam_ldap.8.xml 2011-12-08 22:35:00.000000000 +0100
@@ -35,9 +35,9 @@
<refmeta>
<refentrytitle>pam_ldap</refentrytitle>
<manvolnum>8</manvolnum>
- <refmiscinfo class="version">Version 0.7.15</refmiscinfo>
+ <refmiscinfo class="version">Version 0.7.16</refmiscinfo>
<refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
- <refmiscinfo class="date">Oct 2011</refmiscinfo>
+ <refmiscinfo class="date">Dec 2011</refmiscinfo>
</refmeta>
<refnamediv id="name">
diff -Nru nss-pam-ldapd-0.7.15/NEWS nss-pam-ldapd-0.7.16/NEWS
--- nss-pam-ldapd-0.7.15/NEWS 2011-10-01 00:19:08.000000000 +0200
+++ nss-pam-ldapd-0.7.16/NEWS 2011-12-27 12:24:22.000000000 +0100
@@ -1,3 +1,11 @@
+changes from 0.7.15 to 0.7.16
+-----------------------------
+
+* fix an issue with detecting the uid of the calling process
+* fix a problem in the disconnect logic code
+* Debian packaging fix
+
+
changes from 0.7.14 to 0.7.15
-----------------------------
diff -Nru nss-pam-ldapd-0.7.15/nslcd/myldap.c nss-pam-ldapd-0.7.16/nslcd/myldap.c
--- nss-pam-ldapd-0.7.15/nslcd/myldap.c 2011-06-05 11:19:27.000000000 +0200
+++ nss-pam-ldapd-0.7.16/nslcd/myldap.c 2011-12-27 11:47:33.000000000 +0100
@@ -1198,7 +1198,7 @@
}
/* close connection on some connection problems */
if ((rc==LDAP_UNAVAILABLE)||(rc==LDAP_SERVER_DOWN)||(rc==LDAP_SUCCESS)||
- (rc==LDAP_TIMELIMIT_EXCEEDED)|(rc==LDAP_OPERATIONS_ERROR)||
+ (rc==LDAP_TIMELIMIT_EXCEEDED)||(rc==LDAP_OPERATIONS_ERROR)||
(rc==LDAP_PROTOCOL_ERROR))
{
do_close(search->session);
diff -Nru nss-pam-ldapd-0.7.15/nslcd/nslcd.c nss-pam-ldapd-0.7.16/nslcd/nslcd.c
--- nss-pam-ldapd-0.7.15/nslcd/nslcd.c 2010-09-24 09:07:16.000000000 +0200
+++ nss-pam-ldapd-0.7.16/nslcd/nslcd.c 2011-12-08 22:33:20.000000000 +0100
@@ -357,9 +357,9 @@
TFILE *fp;
int32_t action;
struct timeval readtimeout,writetimeout;
- uid_t uid;
- gid_t gid;
- pid_t pid;
+ uid_t uid=(uid_t)-1;
+ gid_t gid=(gid_t)-1;
+ pid_t pid=(pid_t)-1;
/* indicate new connection to logging module (genrates unique id) */
log_newsession();
/* log connection */
Property changes on: .
___________________________________________________________________
Modified: svn:mergeinfo
Merged /nss-pam-ldapd:r1523-1524,1528
Index: AUTHORS
===================================================================
--- AUTHORS (revision 1571)
+++ AUTHORS (working copy)
@@ -79,3 +79,4 @@
Jan Schampera <jan.schampera@web.de>
Nalin Dahyabhai <nalin@redhat.com>
Daniel Dehennin <daniel.dehennin@baby-gnu.org>
+Jakub Hrozek <jhrozek@redhat.com>
Index: configure.ac
===================================================================
--- configure.ac (revision 1571)
+++ configure.ac (working copy)
@@ -222,7 +222,7 @@
AC_CHECK_FUNCS([sigaction snprintf])
AC_CHECK_FUNCS(gethostbyname)
AC_SEARCH_LIBS(socket,socket)
-AC_CHECK_FUNCS([strcasecmp strncasecmp strchr strcspn strspn strtol])
+AC_CHECK_FUNCS([strcasecmp strncasecmp strchr strcspn strspn strtol strtoul strtoull])
AC_CHECK_FUNCS([malloc realloc])
AC_FUNC_FORK
@@ -235,6 +235,11 @@
AC_TYPE_UINT8_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
+AC_CHECK_SIZEOF(unsigned int)
+AC_CHECK_SIZEOF(unsigned long int)
+AC_CHECK_SIZEOF(unsigned long long int)
+AC_CHECK_SIZEOF(uid_t)
+AC_CHECK_SIZEOF(gid_t)
# check for support for the __thread keyword
AC_CACHE_CHECK([whether $CC supports '__thread'], [mn_cv_c___thread_supported],
Index: nslcd/cfg.c
===================================================================
--- nslcd/cfg.c (revision 1571)
+++ nslcd/cfg.c (working copy)
@@ -442,8 +442,9 @@
char *tmp;
check_argumentcount(filename,lnr,keyword,get_token(line,token,sizeof(token))!=NULL);
/* check if it is a valid numerical uid */
- *var=(uid_t)strtol(token,&tmp,0);
- if ((*token!='\0')&&(*tmp=='\0'))
+ errno=0;
+ *var=strtouid(token,&tmp,0);
+ if ((*token!='\0')&&(*tmp=='\0')&&(errno==0))
return;
/* find by name */
pwent=getpwnam(token);
@@ -467,8 +468,9 @@
char *tmp;
check_argumentcount(filename,lnr,keyword,get_token(line,token,sizeof(token))!=NULL);
/* check if it is a valid numerical gid */
- *var=(gid_t)strtol(token,&tmp,0);
- if ((*token!='\0')&&(*tmp=='\0'))
+ errno=0;
+ *var=strtogid(token,&tmp,0);
+ if ((*token!='\0')&&(*tmp=='\0')&&(errno==0))
return;
/* find by name */
grent=getgrnam(token);
Index: nslcd/service.c
===================================================================
--- nslcd/service.c (revision 1571)
+++ nslcd/service.c (working copy)
@@ -5,7 +5,7 @@
Copyright (C) 1997-2005 Luke Howard
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong
+ Copyright (C) 2006, 2007, 2009, 2010, 2011 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -172,6 +172,7 @@
log_log(LOG_WARNING,"service entry %s contains multiple %s values",
myldap_get_dn(entry),attmap_service_ipServicePort);
}
+ errno=0;
port=(int)strtol(ports[0],&tmp,0);
if ((*(ports[0])=='\0')||(*tmp!='\0'))
{
@@ -179,6 +180,12 @@
myldap_get_dn(entry),attmap_service_ipServicePort);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"service entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_service_ipServicePort);
+ return 0;
+ }
/* get protocols */
protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol);
if ((protocols==NULL)||(protocols[0]==NULL))
Index: nslcd/protocol.c
===================================================================
--- nslcd/protocol.c (revision 1571)
+++ nslcd/protocol.c (working copy)
@@ -5,7 +5,7 @@
Copyright (C) 1997-2005 Luke Howard
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong
+ Copyright (C) 2006, 2007, 2009, 2010, 2011 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -143,6 +143,7 @@
log_log(LOG_WARNING,"protocol entry %s contains multiple %s values",
myldap_get_dn(entry),attmap_protocol_ipProtocolNumber);
}
+ errno=0;
proto=(int)strtol(protos[0],&tmp,0);
if ((*(protos[0])=='\0')||(*tmp!='\0'))
{
@@ -150,6 +151,12 @@
myldap_get_dn(entry),attmap_protocol_ipProtocolNumber);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"protocol entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_protocol_ipProtocolNumber);
+ return 0;
+ }
/* write entry */
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_STRING(fp,name);
Index: nslcd/passwd.c
===================================================================
--- nslcd/passwd.c (revision 1571)
+++ nslcd/passwd.c (working copy)
@@ -338,13 +338,20 @@
}
for (numuids=0;(numuids<MAXUIDS_PER_ENTRY)&&(tmpvalues[numuids]!=NULL);numuids++)
{
- uids[numuids]=(uid_t)strtol(tmpvalues[numuids],&tmp,0);
+ errno=0;
+ uids[numuids]=strtouid(tmpvalues[numuids],&tmp,0);
if ((*(tmpvalues[numuids])=='\0')||(*tmp!='\0'))
{
log_log(LOG_WARNING,"passwd entry %s contains non-numeric %s value",
myldap_get_dn(entry),attmap_passwd_uidNumber);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"passwd entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_passwd_uidNumber);
+ return 0;
+ }
}
}
/* get the gid for this entry */
@@ -355,13 +362,20 @@
myldap_get_dn(entry),attmap_passwd_gidNumber);
return 0;
}
- gid=(gid_t)strtol(gidbuf,&tmp,0);
+ errno=0;
+ gid=strtogid(gidbuf,&tmp,0);
if ((gidbuf[0]=='\0')||(*tmp!='\0'))
{
log_log(LOG_WARNING,"passwd entry %s contains non-numeric %s value",
myldap_get_dn(entry),attmap_passwd_gidNumber);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"passwd entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_passwd_gidNumber);
+ return 0;
+ }
/* get the gecos for this entry */
attmap_get_value(entry,attmap_passwd_gecos,gecos,sizeof(gecos));
/* get the home directory for this entry */
Index: nslcd/rpc.c
===================================================================
--- nslcd/rpc.c (revision 1571)
+++ nslcd/rpc.c (working copy)
@@ -5,7 +5,7 @@
Copyright (C) 1997-2005 Luke Howard
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong
+ Copyright (C) 2006, 2007, 2009, 2010, 2011 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -144,6 +144,7 @@
log_log(LOG_WARNING,"rpc entry %s contains multiple %s values",
myldap_get_dn(entry),attmap_rpc_oncRpcNumber);
}
+ errno=0;
number=(int)strtol(numbers[0],&tmp,0);
if ((*(numbers[0])=='\0')||(*tmp!='\0'))
{
@@ -151,6 +152,12 @@
myldap_get_dn(entry),attmap_rpc_oncRpcNumber);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"rpc entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_rpc_oncRpcNumber);
+ return 0;
+ }
/* write the entry */
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_STRING(fp,name);
Index: nslcd/shadow.c
===================================================================
--- nslcd/shadow.c (revision 1571)
+++ nslcd/shadow.c (working copy)
@@ -128,22 +128,34 @@
return 0; /* error */
strncpy(buffer,date,l);
buffer[l]='\0';
+ errno=0;
value=strtol(date,&tmp,0);
if ((*date=='\0')||(*tmp!='\0'))
{
log_log(LOG_WARNING,"shadow entry contains non-numeric %s value",attr);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"shadow entry contains too large %s value",attr);
+ return -1;
+ }
return value/864-134774;
/* note that AD does not have expiry dates but a lastchangeddate
and some value that needs to be added */
}
+ errno=0;
value=strtol(date,&tmp,0);
if ((*date=='\0')||(*tmp!='\0'))
{
log_log(LOG_WARNING,"shadow entry contains non-numeric %s value",attr);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"shadow entry contains too large %s value",attr);
+ return -1;
+ }
return value;
}
@@ -155,12 +167,19 @@
tmpvalue=attmap_get_value(entry,attmap_shadow_##att,buffer,sizeof(buffer)); \
if (tmpvalue==NULL) \
tmpvalue=""; \
+ errno=0; \
var=strtol(tmpvalue,&tmp,0); \
if ((*(tmpvalue)=='\0')||(*tmp!='\0')) \
{ \
log_log(LOG_WARNING,"shadow entry %s contains non-numeric %s value", \
myldap_get_dn(entry),attmap_shadow_##att); \
return 0; \
+ } \
+ else if (errno!=0) \
+ { \
+ log_log(LOG_WARNING,"shadow entry %s contains too large %s value", \
+ myldap_get_dn(entry),attmap_shadow_##att); \
+ return 0; \
}
#define GET_OPTIONAL_DATE(var,att) \
Index: nslcd/common.c
===================================================================
--- nslcd/common.c (revision 1571)
+++ nslcd/common.c (working copy)
@@ -3,7 +3,7 @@
This file is part of the nss-pam-ldapd library.
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
+ Copyright (C) 2006, 2007, 2008, 2009, 2011 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -176,3 +176,20 @@
/* we're done */
return 0;
}
+
+#ifdef WANT_STRTOUI
+/* provide a strtoui() implementation, similar to strtoul() but returning
+ an range-checked unsigned int instead */
+unsigned int strtoui(const char *nptr,char **endptr,int base)
+{
+ unsigned long val;
+ val=strtoul(nptr,endptr,base);
+ if (val>UINT_MAX)
+ {
+ errno=ERANGE;
+ return UINT_MAX;
+ }
+ /* If errno was set by strtoull, we'll pass it back as-is */
+ return (unsigned int)val;
+}
+#endif /* WANT_STRTOUI */
Index: nslcd/group.c
===================================================================
--- nslcd/group.c (revision 1571)
+++ nslcd/group.c (working copy)
@@ -251,13 +251,20 @@
}
for (numgids=0;(gidvalues[numgids]!=NULL)&&(numgids<MAXGIDS_PER_ENTRY);numgids++)
{
- gids[numgids]=(gid_t)strtol(gidvalues[numgids],&tmp,0);
+ errno=0;
+ gids[numgids]=strtogid(gidvalues[numgids],&tmp,0);
if ((*(gidvalues[numgids])=='\0')||(*tmp!='\0'))
{
log_log(LOG_WARNING,"group entry %s contains non-numeric %s value",
myldap_get_dn(entry),attmap_group_gidNumber);
return 0;
}
+ else if (errno!=0)
+ {
+ log_log(LOG_WARNING,"group entry %s contains too large %s value",
+ myldap_get_dn(entry),attmap_group_gidNumber);
+ return 0;
+ }
}
}
/* get group passwd (userPassword) (use only first entry) */
Index: nslcd/common.h
===================================================================
--- nslcd/common.h (revision 1571)
+++ nslcd/common.h (working copy)
@@ -3,7 +3,7 @@
This file is part of the nss-pam-ldapd library.
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2008, 2009, 2010 Arthur de Jong
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -94,6 +94,37 @@
/* transforms the uid into a DN by doing an LDAP lookup */
MUST_USE char *uid2dn(MYLDAP_SESSION *session,const char *uid,char *buf,size_t buflen);
+/* provide strtouid() function alias */
+#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT
+#define strtouid (uid_t)strtoul
+#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+#define strtouid (uid_t)strtoull
+#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT
+#define WANT_STRTOUI 1
+#define strtouid (uid_t)strtoui
+#else
+#error unable to find implementation for strtouid()
+#endif
+
+/* provide strtouid() function alias */
+#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT
+#define strtogid (gid_t)strtoul
+#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+#define strtogid (gid_t)strtoull
+#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT
+#ifndef WANT_STRTOUI
+#define WANT_STRTOUI 1
+#endif
+#define strtogid (uid_t)strtoui
+#else
+#error unable to find implementation for strtogid()
+#endif
+
+#ifdef WANT_STRTOUI
+/* provide a strtoui() if it is needed */
+unsigned int strtoui(const char *nptr,char **endptr,int base);
+#endif /* WANT_STRTOUI */
+
/* these are the functions for initialising the database specific
modules */
void alias_init(void);
Attachment:
signature.asc
Description: This is a digitally signed message part