From 9ec7fa5fdae099ff8a11e24cf40ee603403991e1 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sun, 21 Jun 2026 21:07:50 +0000 Subject: Fix hardening of string reading from nsssd-switch --- AUTHORS | 1 + src/libnsss/nsss_switch_grp_read.c | 6 +++--- src/libnsss/nsss_switch_pwd_read.c | 10 +++++----- src/libnsss/nsss_switch_shadow_read.c | 4 ++-- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/AUTHORS b/AUTHORS index 26ef925..de17191 100644 --- a/AUTHORS +++ b/AUTHORS @@ -9,3 +9,4 @@ Contributors: Thanks to: A. Wilcox Elizabeth Meyers + Wolf480pl diff --git a/src/libnsss/nsss_switch_grp_read.c b/src/libnsss/nsss_switch_grp_read.c index 47577f0..2fb34bc 100644 --- a/src/libnsss/nsss_switch_grp_read.c +++ b/src/libnsss/nsss_switch_grp_read.c @@ -43,13 +43,13 @@ int nsss_switch_grp_read (buffer *b, struct group *gr, stralloc *sa, genalloc *g p = sa->s + sa->len ; len = total ; q = genalloc_s(char *, ga) + genalloc_len(char *, ga) ; grtmp.gr_mem = q ; - grtmp.gr_name = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + grtmp.gr_name = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - grtmp.gr_passwd = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + grtmp.gr_passwd = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; for (uint32_t i = 0 ; i < n ; i++) { if (!len) return (errno = EPROTO, 0) ; - q[i] = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + q[i] = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; } if (len) return (errno = EPROTO, 0) ; q[n] = 0 ; diff --git a/src/libnsss/nsss_switch_pwd_read.c b/src/libnsss/nsss_switch_pwd_read.c index 4cfb9c5..8ce9232 100644 --- a/src/libnsss/nsss_switch_pwd_read.c +++ b/src/libnsss/nsss_switch_pwd_read.c @@ -38,15 +38,15 @@ int nsss_switch_pwd_read (buffer *b, struct passwd *pw, stralloc *sa, tain const if (!buffer_timed_get(b, sa->s + sa->len, total, deadline, stamp)) return 0 ; if (sa->s[sa->len + total - 1]) return (errno = EPROTO, 0) ; p = sa->s + sa->len ; len = total ; - pwtmp.pw_name = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + pwtmp.pw_name = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - pwtmp.pw_passwd = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + pwtmp.pw_passwd = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - pwtmp.pw_gecos = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + pwtmp.pw_gecos = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - pwtmp.pw_dir = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + pwtmp.pw_dir = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - pwtmp.pw_shell = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + pwtmp.pw_shell = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (len) return (errno = EPROTO, 0) ; sa->len += total ; *pw = pwtmp ; diff --git a/src/libnsss/nsss_switch_shadow_read.c b/src/libnsss/nsss_switch_shadow_read.c index 7d4c2a4..2bb4b7a 100644 --- a/src/libnsss/nsss_switch_shadow_read.c +++ b/src/libnsss/nsss_switch_shadow_read.c @@ -47,9 +47,9 @@ int nsss_switch_shadow_read (buffer *b, struct spwd *sp, stralloc *sa, tain cons if (!buffer_timed_get(b, sa->s + sa->len, total, deadline, stamp)) return 0 ; if (sa->s[sa->len + total - 1]) return (errno = EPROTO, 0) ; p = sa->s + sa->len ; len = total ; - sptmp.sp_namp = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + sptmp.sp_namp = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (!len) return (errno = EPROTO, 0) ; - sptmp.sp_pwdp = p ; x = strnlen(p, len) + 1 ; p += x ; len -= x ; + sptmp.sp_pwdp = p ; x = strnlen(p, len-1) + 1 ; p += x ; len -= x ; if (len) return (errno = EPROTO, 0) ; sa->len += total ; *sp = sptmp ; -- cgit v1.3.1