From thomas@cuivre.fr.eu.org  Mon Sep  4 14:32:12 2006
Return-Path: <thomas@cuivre.fr.eu.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D878216A4DA
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  4 Sep 2006 14:32:12 +0000 (UTC)
	(envelope-from thomas@cuivre.fr.eu.org)
Received: from melamine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [82.225.155.84])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7126D43D6E
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  4 Sep 2006 14:32:09 +0000 (GMT)
	(envelope-from thomas@cuivre.fr.eu.org)
Received: by melamine.cuivre.fr.eu.org (Postfix, from userid 1000)
	id 5985D5C44B; Mon,  4 Sep 2006 16:32:08 +0200 (CEST)
Message-Id: <20060904143208.5985D5C44B@melamine.cuivre.fr.eu.org>
Date: Mon,  4 Sep 2006 16:32:08 +0200 (CEST)
From: Thomas Quinot <thomas@cuivre.fr.eu.org>
Reply-To: Thomas Quinot <thomas@cuivre.fr.eu.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Malformed line in master.passwd causes libutil's pw_copy to crash
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         102848
>Category:       bin
>Synopsis:       Malformed line in master.passwd causes libutil's pw_copy to crash
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    thomas
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 04 14:40:20 GMT 2006
>Closed-Date:    Mon Sep 25 10:29:06 GMT 2006
>Last-Modified:  Mon Sep 25 10:29:06 GMT 2006
>Originator:     Thomas Quinot
>Release:        FreeBSD 6.1-RC i386
>Organization:
>Environment:
System: FreeBSD melamine.cuivre.fr.eu.org 6.1-RC FreeBSD 6.1-RC #0: Thu May 4 13:21:21 CEST 2006 thomas@melamine.cuivre.fr.eu.org:/space/build/obj/space/build/src/RELENG_6/sys/MELAMINE i386


	
>Description:
	pw_copy is a libutil subprogram that copies master.passwd and replaces
	or adds a single entry. It is used, among others, by rpc.yppasswdd, to
	update master.passwd for a single user.

	When a malformed line is encountered in master.passwd, this function
	causes a null pointer dereference instead of silently copying the malformed
	line to the output FD. In the case of rpc.yppasswdd, this causes the daemon
	to abort if a password change is attempted for an entry located after the
	malformed one.

>How-To-Repeat:
	Add a malformed entry (wrong number of fields) to master.passwd
	on a NIS server.
	Use rpc.yppasswdd to attempt to change the password of an entry
	located after the faulty one.
	Observe that rpc.yppasswdd dies on a segfault and that master.passwd
	is left unmodified.
>Fix:

Index: pw_util.c
===================================================================
RCS file: /space/mirror/ncvs/src/lib/libutil/pw_util.c,v
retrieving revision 1.35
diff -u -r1.35 pw_util.c
--- pw_util.c	18 May 2004 15:53:58 -0000	1.35
+++ pw_util.c	4 Sep 2006 10:43:53 -0000
@@ -481,13 +481,22 @@
 		}
 
 		/* is it the one we're looking for? */
+
 		t = *q;
 		*q = '\0';
+
 		fpw = pw_scan(r, PWSCAN_MASTER);
+
+		/*
+		 * fpw is either the struct password for the current line,
+		 * or NULL if the line is malformed.
+		 */
+
 		*q = t;
-		if (strcmp(fpw->pw_name, pw->pw_name) != 0) {
+		if (fpw == NULL || strcmp(fpw->pw_name, pw->pw_name) != 0) {
 			/* nope */
-			free(fpw);
+			if (fpw != NULL)
+				free(fpw);
 			if (write(tfd, p, q - p + 1) != q - p + 1)
 				goto err;
 			++q;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: thomas 
State-Changed-When: Mon Sep 4 15:08:03 UTC 2006 
State-Changed-Why:  
Committed to HEAD: 
src/lib/libutil/pw_util.c rev. 1.36 


Responsible-Changed-From-To: freebsd-bugs->thomas 
Responsible-Changed-By: thomas 
Responsible-Changed-When: Mon Sep 4 15:08:03 UTC 2006 
Responsible-Changed-Why:  
I'll take care of this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=102848 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/102848: commit references a PR
Date: Mon, 25 Sep 2006 10:05:55 +0000 (UTC)

 thomas      2006-09-25 10:05:38 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     lib/libutil          pw_util.c 
   Log:
   MFC rev 1.36 to RELENG_6:
   (pw_copy): Handle the case of a malformed line in master.passwd
    (copy it silently, do not dereference NULL pointer).
   
   MFC rev. 1.37 to RELENG_6:
   Minor comment fix to the change above.
   
   PR:             bin/102848
   Approved by:    re (hrs)
   
   Revision  Changes    Path
   1.35.8.1  +11 -2     src/lib/libutil/pw_util.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Sep 25 10:28:31 UTC 2006 
State-Changed-Why:  
MFC'ed to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=102848 
>Unformatted:
