From wpaul@ctr.columbia.edu  Thu Jun  1 19:06:30 1995
Received: from sirius.ctr.columbia.edu (root@sirius.ctr.columbia.edu [128.59.64.60])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id TAA22905
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 1 Jun 1995 19:06:29 -0700
Received: from bootserv.ctr.columbia.edu (bootserv.ctr.columbia.edu [128.59.72.36]) by sirius.ctr.columbia.edu (8.6.11/8.6.4.287) with ESMTP id WAA21229 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 1 Jun 1995 22:06:25 -0400
Received: (wpaul@localhost) by bootserv.ctr.columbia.edu (8.6.11/8.6.4.788743) id WAA00680; Thu, 1 Jun 1995 22:06:29 -0400
Message-Id: <199506020206.WAA00680@bootserv.ctr.columbia.edu>
Date: Thu, 1 Jun 1995 22:06:29 -0400
From: wpaul@ctr.columbia.edu
Reply-To: wpaul@ctr.columbia.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: getpwent.c/NIS bug and fix
X-Send-Pr-Version: 3.2

>Number:         473
>Category:       bin
>Synopsis:       getpwent.c/NIS bug and fix
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun  1 19:10:05 1995
>Closed-Date:    Fri Jun 2 04:23:47 PDT 1995
>Last-Modified:
>Originator:     Bill Paul
>Release:        FreeBSD 2.0-BUILT-19950527 i386
>Organization:
Center for Telecommunications Research, Columbia University
>Environment:

	FreeBSD 2.0.5-ALPHA
	i386sx/16Mhz system with 387sx FPU
	4 MB RAM
	20 MB XT-class hard disk
	generic VGA
	3c503 ethernet (8-bit)

>Description:


	The +@netgroup/-@netgroup NIS password overrides can fail in
	some cases due to a subtle bug. Specifically, if you override
	an NIS user's shell, /usr/bin/login and /usr/bin/su (and probably
	other commands) can end up with bogus data for the pw_shell
	member of the passwd structure *if* the do an endpwent(),
	thereby preventing logins.

	This happpens because the text fields in the passwd structure
	(pw_name, pw_passwd, pw_gecos, pw_class, pw_dir and pw_shell)
	are returned to the calling program as pointers to dycamically
	allocated buffers, rather than pointers to static buffers as
	they should be. Once endpwent() is called, the dynamic buffers
	are free()ed, which invalidates the data returned by the
	library functions.

>How-To-Repeat:

	1) enable NIS
	2) put an entry in the master.passwd file that overrides
	   the shell field for a user in the NIS database, like this:
	   +testuser:::::::::/bin/csh
	3) attempt to login as user 'testuser'. The result will be
	   that /usr/bin/login will end up with some random value
	   for pw_shell and the login will fail.
>Fix:
	
	This is a context diff for /usr/src/lib/libc/gen/getpwent.c
	that fixes the problem. A more elegant solution would be
	preferable, and I intend implement one for 2.1 just as soon
	as the code lockout for 2.0.5 is lifted.


*** getpwent.c.orig	Thu Jun  1 21:16:00 1995
--- getpwent.c	Thu Jun  1 21:20:01 1995
***************
*** 496,501 ****
--- 496,510 ----
  _pw_breakout_yp(struct passwd *pw, char *result, int master)
  {
  	char *s;
+ 	static char name[UT_NAMESIZE+2], passwd[_PASSWORD_LEN], class[1024];
+ 	static char gecos[1024], dir[MAXPATHLEN], shell[MAXPATHLEN];
+ 
+ 	strcpy(name, pw->pw_name); pw->pw_name = (char *)&name;
+ 	strcpy(passwd, pw->pw_passwd); pw->pw_passwd = (char *)&passwd;
+ 	strcpy(class, pw->pw_class); pw->pw_class = (char *)&class;
+ 	strcpy(gecos, pw->pw_gecos); pw->pw_gecos = (char *)&gecos;
+ 	strcpy(dir, pw->pw_dir); pw->pw_dir = (char *)&dir;
+ 	strcpy(shell, pw->pw_shell); pw->pw_shell = (char *)&shell;
  
  	s = strsep(&result, ":"); /* name */
  	if(!(pw->pw_fields & _PWF_NAME) || (pw->pw_name[0] == '+')) {
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: davidg 
State-Changed-When: Fri Jun 2 04:23:47 PDT 1995 
State-Changed-Why:  
Fixed in rev 1.23.2.1 by applying Bill's suggested fix. 
>Unformatted:



