pwd_mkdb: limit db entries to _PW_BUF_LEN to match libc

Otherwise, it is possible to create a passwd(5) entry that is too
large for getpwent(3), which ignores database entries larger than
_PW_BUF_LEN.  This adds a check in db_store() so that we do not
store an entry larger than getpwent(3) can read.  Callers of
pwd_mkdb(8), typically via pw_mkdb(3), already check for failure.

In most cases, the checks in chpass(1) will prevent a user from
creating an entry that is too large by changing their gecos field.
However, it is only when storing the db record that we know the
true size.

OK deraadt@

diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c
index 14a0187..30716fe 100644 (file)
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.c
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pwd_mkdb.c,v 1.61 2023/04/19 12:58:16 jsg Exp $       */
+/*     $OpenBSD: pwd_mkdb.c,v 1.62 2024/07/28 19:13:26 millert Exp $   */
 
 /*-
  * Copyright (c) 1991, 1993, 1994
@@ -608,6 +608,10 @@ db_store(FILE *fp, FILE *oldfp, DB *edp, DB *dp, struct passwd *pw,
                p += sizeof(int);
                data.size = p - buf;
 
+               /* getpwent() does not support entries > _PW_BUF_LEN. */
+               if (data.size > _PW_BUF_LEN)
+                       fatalx("%s: entry too large", pw->pw_name);
+
                /* Write the secure record. */
                if ((edp->put)(edp, &key, &data, dbmode) == -1)
                        fatal("put");