From b5d6a9dc1ad63e8567de4c2805fc5baad54dc456 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Mon, 5 Aug 2013 20:59:33 +0200
Subject: mmap_cache: Check if slot and name_ptr are not invalid.

This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
---
 src/sss_client/nss_mc_group.c  | 8 ++++++++
 src/sss_client/nss_mc_passwd.c | 8 ++++++++
 2 files changed, 16 insertions(+)

(limited to 'src/sss_client')

diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 7beeb2823..41d8d65a9 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -117,6 +117,10 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
     }
 
     while (slot != MC_INVALID_VAL) {
+        if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) {
+            /* This probably means that the memory cache was corrupted. */
+            return ENOENT;
+        }
 
         ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec);
         if (ret) {
@@ -181,6 +185,10 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
     }
 
     while (slot != MC_INVALID_VAL) {
+        if (slot > MC_SIZE_TO_SLOTS(gr_mc_ctx.dt_size)) {
+            /* This probably means that the memory cache was corrupted. */
+            return ENOENT;
+        }
 
         ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec);
         if (ret) {
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index ca9945e4b..fb29b9750 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -118,6 +118,10 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
     }
 
     while (slot != MC_INVALID_VAL) {
+        if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) {
+            /* This probably means that the memory cache was corrupted */
+            return ENOENT;
+        }
 
         ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec);
         if (ret) {
@@ -182,6 +186,10 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
     }
 
     while (slot != MC_INVALID_VAL) {
+        if (slot > MC_SIZE_TO_SLOTS(pw_mc_ctx.dt_size)) {
+            /* This probably means that the memory cache was corrupted */
+            return ENOENT;
+        }
 
         ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec);
         if (ret) {
-- 
cgit