1#include <pthread.h> 2#include <byteswap.h> 3#include <string.h> 4#include <unistd.h> 5#include "pwf.h" 6#include "nscd.h" 7 8static char *itoa(char *p, uint32_t x) 9{ 10 // number of digits in a uint32_t + NUL 11 p += 11; 12 *--p = 0; 13 do { 14 *--p = '0' + x % 10; 15 x /= 10; 16 } while (x); 17 return p; 18} 19 20int __getpw_a(const char *name, uid_t uid, struct passwd *pw, char **buf, size_t *size, struct passwd **res) 21{ 22 FILE *f; 23 int cs; 24 int rv = 0; 25 26 *res = 0; 27 28 pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs); 29 30 f = fopen("/etc/passwd", "rbe"); 31 if (!f) { 32 rv = errno; 33 goto done; 34 } 35 36 while (!(rv = __getpwent_a(f, pw, buf, size, res)) && *res) { 37 if (name && !strcmp(name, (*res)->pw_name) 38 || !name && (*res)->pw_uid == uid) 39 break; 40 } 41 fclose(f); 42 43 if (!*res && (rv == 0 || rv == ENOENT || rv == ENOTDIR)) { 44 int32_t req = name ? GETPWBYNAME : GETPWBYUID; 45 const char *key; 46 int32_t passwdbuf[PW_LEN] = {0}; 47 size_t len = 0; 48 char uidbuf[11] = {0}; 49 50 if (name) { 51 key = name; 52 } else { 53 /* uid outside of this range can't be queried with the 54 * nscd interface, but might happen if uid_t ever 55 * happens to be a larger type (this is not true as of 56 * now) 57 */ 58 if(uid < 0 || uid > UINT32_MAX) { 59 rv = 0; 60 goto done; 61 } 62 key = itoa(uidbuf, uid); 63 } 64 65 f = __nscd_query(req, key, passwdbuf, sizeof passwdbuf, (int[]){0}); 66 if (!f) { rv = errno; goto done; } 67 68 if(!passwdbuf[PWFOUND]) { rv = 0; goto cleanup_f; } 69 70 /* A zero length response from nscd is invalid. We ignore 71 * invalid responses and just report an error, rather than 72 * trying to do something with them. 73 */ 74 if (!passwdbuf[PWNAMELEN] || !passwdbuf[PWPASSWDLEN] 75 || !passwdbuf[PWGECOSLEN] || !passwdbuf[PWDIRLEN] 76 || !passwdbuf[PWSHELLLEN]) { 77 rv = EIO; 78 goto cleanup_f; 79 } 80 81 if ((passwdbuf[PWNAMELEN]|passwdbuf[PWPASSWDLEN] 82 |passwdbuf[PWGECOSLEN]|passwdbuf[PWDIRLEN] 83 |passwdbuf[PWSHELLLEN]) >= SIZE_MAX/8) { 84 rv = ENOMEM; 85 goto cleanup_f; 86 } 87 88 len = passwdbuf[PWNAMELEN] + passwdbuf[PWPASSWDLEN] 89 + passwdbuf[PWGECOSLEN] + passwdbuf[PWDIRLEN] 90 + passwdbuf[PWSHELLLEN]; 91 92 if (len > *size || !*buf) { 93 char *tmp = realloc(*buf, len); 94 if (!tmp) { 95 rv = errno; 96 goto cleanup_f; 97 } 98 *buf = tmp; 99 *size = len; 100 } 101 102 if (!fread(*buf, len, 1, f)) { 103 rv = ferror(f) ? errno : EIO; 104 goto cleanup_f; 105 } 106 107 pw->pw_name = *buf; 108 pw->pw_passwd = pw->pw_name + passwdbuf[PWNAMELEN]; 109 pw->pw_gecos = pw->pw_passwd + passwdbuf[PWPASSWDLEN]; 110 pw->pw_dir = pw->pw_gecos + passwdbuf[PWGECOSLEN]; 111 pw->pw_shell = pw->pw_dir + passwdbuf[PWDIRLEN]; 112 pw->pw_uid = passwdbuf[PWUID]; 113 pw->pw_gid = passwdbuf[PWGID]; 114 115 /* Don't assume that nscd made sure to null terminate strings. 116 * It's supposed to, but malicious nscd should be ignored 117 * rather than causing a crash. 118 */ 119 if (pw->pw_passwd[-1] || pw->pw_gecos[-1] || pw->pw_dir[-1] 120 || pw->pw_shell[passwdbuf[PWSHELLLEN]-1]) { 121 rv = EIO; 122 goto cleanup_f; 123 } 124 125 if (name && strcmp(name, pw->pw_name) 126 || !name && uid != pw->pw_uid) { 127 rv = EIO; 128 goto cleanup_f; 129 } 130 131 132 *res = pw; 133cleanup_f: 134 fclose(f); 135 goto done; 136 } 137 138done: 139 pthread_setcancelstate(cs, 0); 140 if (rv) errno = rv; 141 return rv; 142} 143