Print this page
12236 getmembers_DN doesn't properly handle errors from __ns_ldap_dn2uid
12240 nss_ldap does not properly look up group members by distinguished name

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/nsswitch/ldap/common/getgrent.c
          +++ new/usr/src/lib/nsswitch/ldap/common/getgrent.c
↓ open down ↓ 15 lines elided ↑ open up ↑
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  23   23   * Use is subject to license terms.
  24   24   *
  25   25   * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
       26 + * Copyright 2020 Joyent, Inc.
  26   27   */
  27   28  
  28   29  #include <grp.h>
  29   30  #include "ldap_common.h"
  30   31  #include <string.h>
  31   32  
  32   33  /* String which may need to be removed from beginning of group password */
  33   34  #define _CRYPT          "{CRYPT}"
  34   35  #define _NO_PASSWD_VAL  ""
  35   36  
↓ open down ↓ 196 lines elided ↑ open up ↑
 232  233   * CN=Doe\, John,OU=Users,DC=contoso,DC=com => john.doe
 233  234   */
 234  235  static int
 235  236  getmembers_DN(char **bufpp, int *lenp, ns_ldap_attr_t *members)
 236  237  {
 237  238          ns_ldap_error_t *error = NULL;
 238  239          char    *member_dn, *member_uid;
 239  240          char    *buffer;
 240  241          int     buflen;
 241  242          int     i, len;
 242      -        int     nss_result = 0;
      243 +        int     nss_result = 0; /* used by TEST_AND_ADJUST macro */
 243  244          int     firsttime;
 244  245  
 245  246          buffer = *bufpp;
 246  247          buflen = *lenp;
 247  248          firsttime = (buffer[-1] == ':');
 248  249  
 249  250          for (i = 0; i < members->value_count; i++) {
 250  251                  member_dn = members->attrvalue[i];
 251  252                  if (member_dn == NULL)
 252  253                          goto out;
↓ open down ↓ 3 lines elided ↑ open up ↑
 256  257                   * full distinguished names (DNs).  We need to loookup
 257  258                   * the Unix UID (name) for each.
 258  259                   */
 259  260  #ifdef DEBUG
 260  261                  (void) fprintf(stdout, "getmembers_DN: dn=%s\n",
 261  262                      member_dn);
 262  263  #endif
 263  264                  if (member_dn[0] == '\0')
 264  265                          continue;
 265  266  
 266      -                nss_result = __ns_ldap_dn2uid(member_dn,
 267      -                    &member_uid, NULL, &error);
 268      -                if (nss_result != NS_LDAP_SUCCESS) {
      267 +                if (__ns_ldap_dn2uid(member_dn,
      268 +                    &member_uid, NULL, &error) != NS_LDAP_SUCCESS) {
 269  269                          (void) __ns_ldap_freeError(&error);
 270  270                          error = NULL;
 271  271                          continue;
 272  272                  }
 273  273  #ifdef DEBUG
 274  274                  (void) fprintf(stdout, "getmembers_DN: uid=<%s>\n",
 275  275                      member_uid);
 276  276  #endif
 277  277                  /* Skip invalid names. */
 278  278                  if (member_uid[0] == '\0' ||
↓ open down ↓ 257 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX