search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Further harden glibc malloc metadata against 1-byte overflows.
[glibc.git] / nss / bug17079.c
blob4171c7db5575eb4d8762b1d803a89bea9557ebac
1 /* Test for bug 17079: heap overflow in NSS with small buffers.
2 Copyright (C) 2015-2017 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <http://www.gnu.org/licenses/>. */
18
19 #include <errno.h>
20 #include <pwd.h>
21 #include <stdbool.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25
26 /* Check if two passwd structs contain the same data. */
27 static bool
28 equal (const struct passwd *a, const struct passwd *b)
29 {
30 return strcmp (a->pw_name, b->pw_name) == 0
31 && strcmp (a->pw_passwd, b->pw_passwd) == 0
32 && a->pw_uid == b->pw_uid
33 && a->pw_gid == b->pw_gid
34 && strcmp (a->pw_gecos, b->pw_gecos) == 0
35 && strcmp (a->pw_dir, b->pw_dir) == 0
36 && strcmp (a->pw_shell, b->pw_shell) == 0;
37 }
38
39 enum { MAX_TEST_ITEMS = 10 };
40 static struct passwd test_items[MAX_TEST_ITEMS];
41 static int test_count;
42
43 /* Initialize test_items and test_count above, with data from the
44 passwd database. */
45 static bool
46 init_test_items (void)
47 {
48 setpwent ();
49 do
50 {
51 struct passwd *pwd = getpwent ();
52 if (pwd == NULL)
53 break;
54 struct passwd *target = test_items + test_count;
55 target->pw_name = strdup (pwd->pw_name);
56 target->pw_passwd = strdup (pwd->pw_passwd);
57 target->pw_uid = pwd->pw_uid;
58 target->pw_gid = pwd->pw_gid;
59 target->pw_gecos = strdup (pwd->pw_gecos);
60 target->pw_dir = strdup (pwd->pw_dir);
61 target->pw_shell = strdup (pwd->pw_shell);
62 }
63 while (++test_count < MAX_TEST_ITEMS);
64 endpwent ();
65
66 /* Filter out those test items which cannot be looked up by name or
67 UID. */
68 bool found = false;
69 for (int i = 0; i < test_count; ++i)
70 {
71 struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
72 struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
73 if (pwd1 == NULL || !equal (pwd1, test_items + i)
74 || pwd2 == NULL || !equal (pwd2, test_items + i))
75 {
76 printf ("info: skipping user \"%s\", UID %ld due to inconsistency\n",
77 test_items[i].pw_name, (long) test_items[i].pw_uid);
78 test_items[i].pw_name = NULL;
79 }
80 else
81 found = true;
82 }
83
84 if (!found)
85 puts ("error: no accounts found which can be looked up by name and UID.");
86 return found;
87 }
88
89 /* Set to true if an error is encountered. */
90 static bool errors;
91
92 /* Return true if the padding has not been tampered with. */
93 static bool
94 check_padding (char *buffer, size_t size, char pad)
95 {
96 char *end = buffer + size;
97 while (buffer < end)
98 {
99 if (*buffer != pad)
100 return false;
101 ++buffer;
102 }
103 return true;
104 }
105
106 /* Test one buffer size and padding combination. */
107 static void
108 test_one (const struct passwd *item, size_t buffer_size,
109 char pad, size_t padding_size)
110 {
111 char *buffer = malloc (buffer_size + padding_size);
112 if (buffer == NULL)
113 {
114 puts ("error: malloc failure");
115 errors = true;
116 return;
117 }
118
119 struct passwd pwd;
120 struct passwd *result;
121 int ret;
122
123 /* Test getpwname_r. */
124 memset (buffer, pad, buffer_size + padding_size);
125 pwd = (struct passwd) {};
126 ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
127 if (!check_padding (buffer + buffer_size, padding_size, pad))
128 {
129 printf ("error: padding change: "
130 "name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
131 item->pw_name, buffer_size, padding_size, (unsigned char) pad);
132 errors = true;
133 }
134 if (ret == 0)
135 {
136 if (result == NULL)
137 {
138 printf ("error: no data: name \"%s\", buffer size %zu\n",
139 item->pw_name, buffer_size);
140 errors = true;
141 }
142 else if (!equal (item, result))
143 {
144 printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
145 item->pw_name, buffer_size);
146 errors = true;
147 }
148 }
149 else if (ret != ERANGE)
150 {
151 errno = ret;
152 printf ("error: lookup failure for name \"%s\": %m (%d)\n",
153 item->pw_name, ret);
154 errors = true;
155 }
156
157 /* Test getpwuid_r. */
158 memset (buffer, pad, buffer_size + padding_size);
159 pwd = (struct passwd) {};
160 ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
161 if (!check_padding (buffer + buffer_size, padding_size, pad))
162 {
163 printf ("error: padding change: "
164 "UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
165 (long) item->pw_uid, buffer_size, padding_size,
166 (unsigned char) pad);
167 errors = true;
168 }
169 if (ret == 0)
170 {
171 if (result == NULL)
172 {
173 printf ("error: no data: UID %ld, buffer size %zu\n",
174 (long) item->pw_uid, buffer_size);
175 errors = true;
176 }
177 else if (!equal (item, result))
178 {
179 printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
180 (long) item->pw_uid, buffer_size);
181 errors = true;
182 }
183 }
184 else if (ret != ERANGE)
185 {
186 errno = ret;
187 printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
188 (long) item->pw_uid, ret);
189 errors = true;
190 }
191
192 free (buffer);
193 }
194
195 /* Test one buffer size with different paddings. */
196 static void
197 test_buffer_size (size_t buffer_size)
198 {
199 for (int i = 0; i < test_count; ++i)
200 for (size_t padding_size = 0; padding_size < 3; ++padding_size)
201 {
202 /* Skip entries with inconsistent name/UID lookups. */
203 if (test_items[i].pw_name == NULL)
204 continue;
205
206 test_one (test_items + i, buffer_size, '\0', padding_size);
207 if (padding_size > 0)
208 {
209 test_one (test_items + i, buffer_size, ':', padding_size);
210 test_one (test_items + i, buffer_size, '\n', padding_size);
211 test_one (test_items + i, buffer_size, '\xff', padding_size);
212 test_one (test_items + i, buffer_size, '@', padding_size);
213 }
214 }
215 }
216
217 int
218 do_test (void)
219 {
220 if (!init_test_items ())
221 return 1;
222 printf ("info: %d test items\n", test_count);
223
224 for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
225 test_buffer_size (buffer_size);
226 for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
227 test_buffer_size (buffer_size);
228 test_buffer_size (255);
229 test_buffer_size (257);
230 for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
231 test_buffer_size (buffer_size);
232 test_buffer_size (511);
233 test_buffer_size (513);
234 test_buffer_size (1024);
235 test_buffer_size (2048);
236
237 if (errors)
238 return 1;
239 else
240 return 0;
241 }
242
243 #define TEST_FUNCTION do_test ()
244 #include "../test-skeleton.c"
sources.redhat.com git mirror of glibc CVS