netbsd-bugs: lib/1779: innetgr() dumps core on netgroups with wildcards

Subject: lib/1779: innetgr() dumps core on netgroups with wildcards
To: None <gnats-bugs@gnats.netbsd.org, rhialto@polder.ubc.kun.nl>
From: Olaf Seibert <rhialto@polder.ubc.kun.nl>
List: netbsd-bugs
Date: 11/23/1995 00:04:54

>Number:         1779
>Category:       lib
>Synopsis:       innetgr() dumps core on netgroups with wildcards
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 22 18:20:11 1995
>Last-Modified:
>Originator:     Olaf Seibert
>Organization:
___ Olaf 'Rhialto' Seibert      D787B44DFC896063 4CBB95A5BD1DAA96 
\X/ There are no lemurs in this post    rhialto@polder.ubc.kun.nl
>Release:        1.0
>Environment:
	
System: NetBSD polder.ubc.kun.nl 1.0 NetBSD 1.0 (POLDER) #30: Tue Nov 21 00:38:28 MET 1995 rhialto@polder.ubc.kun.nl:/home/src/sys/arch/i386/compile/POLDER i386


>Description:

If you make a call to innetr(3) with a /etc/netgroup file that contains
an entry like this:

polders	(polder.ubc.kun.nl,,)

then innetgr() calls strcmp(3) with a NULL pointer argument. This NULL
is the representation of the wildcarded user and/or domain field.

>How-To-Repeat:

I found it the following way. Compile samba. Configure it with an access
list using the netgroup shown above. Watch the core dump.

>Fix:

Apply the following patch to /usr/src/lib/libc/gen/getnetgrent.c.
It also fixes a case of the "NULL is equal to 0" disease.

*** getnetgrent.c.org	Wed Nov 22 23:46:56 1995
--- getnetgrent.c	Wed Nov 22 23:52:45 1995
***************
*** 177,189 ****
  	char *hst, *usr, *dm;
  
  	setnetgrent(group);
! 	while (getnetgrent(&hst, &usr, &dm))
! 		if ((host == (char *)0 || !strcmp(host, hst)) &&
! 		    (user == (char *)0 || !strcmp(user, usr)) &&
! 		    (dom == (char *)0 || !strcmp(dom, dm))) {
  			endnetgrent();
  			return (1);
  		}
  	endnetgrent();
  	return (0);
  }
--- 177,190 ----
  	char *hst, *usr, *dm;
  
  	setnetgrent(group);
! 	while (getnetgrent(&hst, &usr, &dm)) {
! 		if ((host == (char *)0 || hst == (char *)0 || !strcmp(host, hst)) &&
! 		    (user == (char *)0 || usr == (char *)0 || !strcmp(user, usr)) &&
! 		    (dom == (char *)0 || dm == (char *)0 || !strcmp(dom, dm))) {
  			endnetgrent();
  			return (1);
  		}
+ 	}
  	endnetgrent();
  	return (0);
  }
***************
*** 221,227 ****
  	while (*pos != '\0') {
  		if (*pos == '(') {
  			grp = (struct netgrp *)malloc(sizeof (struct netgrp));
! 			bzero((char *)grp, sizeof (struct netgrp));
  			grp->ng_next = grouphead.gr;
  			grouphead.gr = grp;
  			pos++;
--- 222,230 ----
  	while (*pos != '\0') {
  		if (*pos == '(') {
  			grp = (struct netgrp *)malloc(sizeof (struct netgrp));
! 			grp->ng_str[NG_HOST] = (char *)0;
! 			grp->ng_str[NG_USER] = (char *)0;
! 			grp->ng_str[NG_DOM] = (char *)0;
  			grp->ng_next = grouphead.gr;
  			grouphead.gr = grp;
  			pos++;
>Audit-Trail:
>Unformatted: