• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include <pthread.h>
2 #include <byteswap.h>
3 #include <string.h>
4 #include <unistd.h>
5 #include "pwf.h"
6 #include "nscd.h"
7 
itoa(char * p,uint32_t x)8 static char *itoa(char *p, uint32_t x)
9 {
10 	// number of digits in a uint32_t + NUL
11 	p += 11;
12 	*--p = 0;
13 	do {
14 		*--p = '0' + x % 10;
15 		x /= 10;
16 	} while (x);
17 	return p;
18 }
19 
__getpw_a(const char * name,uid_t uid,struct passwd * pw,char ** buf,size_t * size,struct passwd ** res)20 int __getpw_a(const char *name, uid_t uid, struct passwd *pw, char **buf, size_t *size, struct passwd **res)
21 {
22 	FILE *f;
23 	int cs;
24 	int rv = 0;
25 
26 	*res = 0;
27 
28 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs);
29 
30 	f = fopen("/etc/passwd", "rbe");
31 	if (!f) {
32 		rv = errno;
33 		goto done;
34 	}
35 
36 	while (!(rv = __getpwent_a(f, pw, buf, size, res)) && *res) {
37 		if (name && !strcmp(name, (*res)->pw_name)
38 		|| !name && (*res)->pw_uid == uid)
39 			break;
40 	}
41 	fclose(f);
42 
43 	if (!*res && (rv == 0 || rv == ENOENT || rv == ENOTDIR)) {
44 		int32_t req = name ? GETPWBYNAME : GETPWBYUID;
45 		const char *key;
46 		int32_t passwdbuf[PW_LEN] = {0};
47 		size_t len = 0;
48 		char uidbuf[11] = {0};
49 
50 		if (name) {
51 			key = name;
52 		} else {
53 			/* uid outside of this range can't be queried with the
54 			 * nscd interface, but might happen if uid_t ever
55 			 * happens to be a larger type (this is not true as of
56 			 * now)
57 			 */
58 			if(uid < 0 || uid > UINT32_MAX) {
59 				rv = 0;
60 				goto done;
61 			}
62 			key = itoa(uidbuf, uid);
63 		}
64 
65 		f = __nscd_query(req, key, passwdbuf, sizeof passwdbuf, (int[]){0});
66 		if (!f) { rv = errno; goto done; }
67 
68 		if(!passwdbuf[PWFOUND]) { rv = 0; goto cleanup_f; }
69 
70 		/* A zero length response from nscd is invalid. We ignore
71 		 * invalid responses and just report an error, rather than
72 		 * trying to do something with them.
73 		 */
74 		if (!passwdbuf[PWNAMELEN] || !passwdbuf[PWPASSWDLEN]
75 		|| !passwdbuf[PWGECOSLEN] || !passwdbuf[PWDIRLEN]
76 		|| !passwdbuf[PWSHELLLEN]) {
77 			rv = EIO;
78 			goto cleanup_f;
79 		}
80 
81 		if ((passwdbuf[PWNAMELEN]|passwdbuf[PWPASSWDLEN]
82 		     |passwdbuf[PWGECOSLEN]|passwdbuf[PWDIRLEN]
83 		     |passwdbuf[PWSHELLLEN]) >= SIZE_MAX/8) {
84 			rv = ENOMEM;
85 			goto cleanup_f;
86 		}
87 
88 		len = passwdbuf[PWNAMELEN] + passwdbuf[PWPASSWDLEN]
89 		    + passwdbuf[PWGECOSLEN] + passwdbuf[PWDIRLEN]
90 		    + passwdbuf[PWSHELLLEN];
91 
92 		if (len > *size || !*buf) {
93 			char *tmp = realloc(*buf, len);
94 			if (!tmp) {
95 				rv = errno;
96 				goto cleanup_f;
97 			}
98 			*buf = tmp;
99 			*size = len;
100 		}
101 
102 		if (!fread(*buf, len, 1, f)) {
103 			rv = ferror(f) ? errno : EIO;
104 			goto cleanup_f;
105 		}
106 
107 		pw->pw_name = *buf;
108 		pw->pw_passwd = pw->pw_name + passwdbuf[PWNAMELEN];
109 		pw->pw_gecos = pw->pw_passwd + passwdbuf[PWPASSWDLEN];
110 		pw->pw_dir = pw->pw_gecos + passwdbuf[PWGECOSLEN];
111 		pw->pw_shell = pw->pw_dir + passwdbuf[PWDIRLEN];
112 		pw->pw_uid = passwdbuf[PWUID];
113 		pw->pw_gid = passwdbuf[PWGID];
114 
115 		/* Don't assume that nscd made sure to null terminate strings.
116 		 * It's supposed to, but malicious nscd should be ignored
117 		 * rather than causing a crash.
118 		 */
119 		if (pw->pw_passwd[-1] || pw->pw_gecos[-1] || pw->pw_dir[-1]
120 		|| pw->pw_shell[passwdbuf[PWSHELLLEN]-1]) {
121 			rv = EIO;
122 			goto cleanup_f;
123 		}
124 
125 		if (name && strcmp(name, pw->pw_name)
126 		|| !name && uid != pw->pw_uid) {
127 			rv = EIO;
128 			goto cleanup_f;
129 		}
130 
131 
132 		*res = pw;
133 cleanup_f:
134 		fclose(f);
135 		goto done;
136 	}
137 
138 done:
139 	pthread_setcancelstate(cs, 0);
140 	if (rv) errno = rv;
141 	return rv;
142 }
143