diff options
| author | Michal Zidek <mzidek@redhat.com> | 2013-08-05 20:59:33 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-08-11 22:21:17 +0200 |
| commit | b5d6a9dc1ad63e8567de4c2805fc5baad54dc456 (patch) | |
| tree | 4ee3d0db415ba34b1817570d9a9008e3e3e0e8fc /src/sss_client | |
| parent | 29b9dbc96370b85e460156e528cb2542c160cfd3 (diff) | |
| download | sssd-b5d6a9dc1ad63e8567de4c2805fc5baad54dc456.tar.gz sssd-b5d6a9dc1ad63e8567de4c2805fc5baad54dc456.tar.xz sssd-b5d6a9dc1ad63e8567de4c2805fc5baad54dc456.zip | |
mmap_cache: Check if slot and name_ptr are not invalid.sssd-1.9.2-118.el6
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
Diffstat (limited to 'src/sss_client')
| -rw-r--r-- | src/sss_client/nss_mc_group.c | 8 | ||||
| -rw-r--r-- | src/sss_client/nss_mc_passwd.c | 8 |
2 files changed, 16 insertions, 0 deletions
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c index 7beeb2823..41d8d65a9 100644 --- a/src/sss_client/nss_mc_group.c +++ b/src/sss_client/nss_mc_group.c @@ -117,6 +117,10 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len, } while (slot != MC_INVALID_VAL) { + if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) { + /* This probably means that the memory cache was corrupted. */ + return ENOENT; + } ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec); if (ret) { @@ -181,6 +185,10 @@ errno_t sss_nss_mc_getgrgid(gid_t gid, } while (slot != MC_INVALID_VAL) { + if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) { + /* This probably means that the memory cache was corrupted. */ + return ENOENT; + } ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec); if (ret) { diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c index ca9945e4b..fb29b9750 100644 --- a/src/sss_client/nss_mc_passwd.c +++ b/src/sss_client/nss_mc_passwd.c @@ -118,6 +118,10 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len, } while (slot != MC_INVALID_VAL) { + if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) { + /* This probably means that the memory cache was corrupted */ + return ENOENT; + } ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec); if (ret) { @@ -182,6 +186,10 @@ errno_t sss_nss_mc_getpwuid(uid_t uid, } while (slot != MC_INVALID_VAL) { + if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) { + /* This probably means that the memory cache was corrupted */ + return ENOENT; + } ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec); if (ret) { |