Home Explore Help
Sign In
miti
/
graphene
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 22043ce260
Branches Tags
graphene
/
LibOS
/
glibc-patches
/
nis-bogus-conditional.patch

nis-bogus-conditional.patch 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3
    2. 

  2. Author: Joseph Myers <joseph@codesourcery.com>
    3. 

  3. Date:   Wed Dec 21 23:44:01 2016 +0000
    4. 

  4. 

  5.     Fix nss_nisplus build with mainline GCC (bug 20978).
    6. 

  6.     
    7. 

  7.     glibc build with current mainline GCC fails because
    8. 

  8.     nis/nss_nisplus/nisplus-alias.c contains code
    9. 

  9.     
    10. 

  10.       if (name != NULL)
    11. 

  11.         {
    12. 

  12.           *errnop = EINVAL;
    13. 

  13.           return NSS_STATUS_UNAVAIL;
    14. 

  14.         }
    15. 

  15.     
    16. 

  16.       char buf[strlen (name) + 9 + tablename_len];
    17. 

  17.     
    18. 

  18.     producing an error about strlen being called on a pointer that is
    19. 

  19.     always NULL (and a subsequent use of that pointer with a %s format in
    20. 

  20.     snprintf).
    21. 

  21.     
    22. 

  22.     As Andreas noted, the bogus conditional comes from a 1997 change:
    23. 

  23.     
    24. 

  24.     -  if (name == NULL || strlen(name) > 8)
    25. 

  25.     -    return NSS_STATUS_NOTFOUND;
    26. 

  26.     -  else
    27. 

  27.     +  if (name != NULL || strlen(name) <= 8)
    28. 

  28.     
    29. 

  29.     So the intention is clearly to return an error for NULL name.
    30. 

  30.     
    31. 

  31.     This patch duly inverts the sense of the conditional.  It fixes the
    32. 

  32.     build with GCC mainline, and passes usual glibc testsuite testing for
    33. 

  33.     x86_64.  However, I have not tried any actual substantive nisplus
    34. 

  34.     testing, do not have an environment for such testing, and do not know
    35. 

  35.     whether it is possible that strlen (name) or tablename_len might be
    36. 

  36.     large so that the VLA for buf is actually a security issue.  However,
    37. 

  37.     if it is a security issue, there are plenty of other similar instances
    38. 

  38.     in the nisplus code (that haven't been hidden by a bogus comparison
    39. 

  39.     with NULL) - and nis_table.c:__create_ib_request uses strdupa on the
    40. 

  40.     string passed to nis_list, so a local fix in the caller wouldn't
    41. 

  41.     suffice anyway (see bug 20987).  (Calls to strdupa and other such
    42. 

  42.     macros that use alloca must be considered equally questionable
    43. 

  43.     regarding stack overflow issues as direct calls to alloca and VLA
    44. 

  44.     declarations.)
    45. 

  45.     
    46. 

  46.             [BZ #20978]
    47. 

  47.             * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r):
    48. 

  48.             Compare name == NULL, not name != NULL.
    49. 

  49. 

  50. ---
    51. 

  51.  nis/nss_nisplus/nisplus-alias.c |    2 +-
    52. 

  52.  1 file changed, 1 insertion(+), 1 deletion(-)
    53. 

  53. 

  54. --- a/nis/nss_nisplus/nisplus-alias.c
    55. 

  55. +++ b/nis/nss_nisplus/nisplus-alias.c
    56. 

  56. @@ -291,7 +291,7 @@
    57. 

  57.  	return status;
    58. 

  58.      }
    59. 

  59.  
    60. 

  60. -  if (name != NULL)
    61. 

  61. +  if (name == NULL)
    62. 

  62.      {
    63. 

  63.        *errnop = EINVAL;
    64. 

  64.        return NSS_STATUS_UNAVAIL;
    65.