From 650e2174e00f41e17de93906a7c5781197358dcf Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Sat, 12 Apr 1997 00:12:57 +0000
Subject: [PATCH] bit more care with domainnames, adam@math.tau.ac.il

---
 usr.sbin/ypserv/ypserv/ypserv_proc.c | 68 ++++++++++++++++++++++++----
 usr.sbin/ypserv/ypxfr/ypxfr.c        |  9 +++-
 2 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/ypserv/ypserv/ypserv_proc.c b/usr.sbin/ypserv/ypserv/ypserv_proc.c
index 80bfaffe704..fc79ec9562d 100644
--- a/usr.sbin/ypserv/ypserv/ypserv_proc.c
+++ b/usr.sbin/ypserv/ypserv/ypserv_proc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ypserv_proc.c,v 1.10 1997/03/30 20:51:21 maja Exp $ */
+/*	$OpenBSD: ypserv_proc.c,v 1.11 1997/04/12 00:12:57 deraadt Exp $ */
 
 /*
  * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@@ -32,7 +32,7 @@
  */
 
 #ifndef LINT
-static char rcsid[] = "$OpenBSD: ypserv_proc.c,v 1.10 1997/03/30 20:51:21 maja Exp $";
+static char rcsid[] = "$OpenBSD: ypserv_proc.c,v 1.11 1997/04/12 00:12:57 deraadt Exp $";
 #endif
 
 #include <rpc/rpc.h>
@@ -105,6 +105,8 @@ ypproc_domain_2_svc(argp, rqstp)
 	static char domain_path[MAXPATHLEN];
 	struct stat finfo;
 
+	if (strchr(*argp, '/'))
+		goto bail;
 	snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, *argp);
 	result = (bool_t) ((stat(domain_path, &finfo) == 0) &&
 				    (finfo.st_mode & S_IFDIR));
@@ -114,6 +116,7 @@ ypproc_domain_2_svc(argp, rqstp)
 	      TORF(ok), *argp, TORF(result));
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -132,6 +135,8 @@ ypproc_domain_nonack_2_svc(argp, rqstp)
 	static char domain_path[MAXPATHLEN];
 	struct stat finfo;
 
+	if (strchr(*argp, '/'))
+		goto bail;
 	snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, *argp);
 	result = (bool_t) ((stat(domain_path, &finfo) == 0) &&
 				    (finfo.st_mode & S_IFDIR));
@@ -142,6 +147,7 @@ ypproc_domain_nonack_2_svc(argp, rqstp)
 	  *argp, TORF(result));
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -163,6 +169,8 @@ ypproc_match_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG(
 	  "match_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
@@ -170,6 +178,7 @@ ypproc_match_2_svc(argp, rqstp)
 	  argp->domain, argp->map, argp->key.keydat_len, argp->key.keydat_val);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -197,12 +206,15 @@ ypproc_first_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG( "first_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
 	  TORF(ok), TORF(secure),
 	  argp->domain, argp->map);
 	
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -230,6 +242,8 @@ ypproc_next_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG(
 	  "next_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
@@ -237,6 +251,7 @@ ypproc_next_2_svc(argp, rqstp)
 	  argp->domain, argp->map, argp->key.keydat_len, argp->key.keydat_val);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -270,27 +285,23 @@ ypproc_xfr_2_svc(argp, rqstp)
 	char	*ipadd;
 
 	bzero((char *)&res, sizeof(res));
-	
+
 	YPLOG("xfr_2: caller=[%s].%d, auth_ok=%s, domain=%s, tid=%d, prog=%d",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), 
 	  argp->map_parms.domain, argp->transid, argp->prog);
 	YPLOG("       ipadd=%s, port=%d, map=%s", inet_ntoa(caller->sin_addr),
 	  argp->port, argp->map_parms.map);
 
-	if (ntohs(caller->sin_port) >= IPPORT_RESERVED)
-		ok = FALSE;
-
-	if (!ok) {
+	if (strchr(argp->map_parms.domain, '/') ||
+	    ntohs(caller->sin_port) >= IPPORT_RESERVED) {
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
 
 	pid = vfork();
-
 	if (pid == -1) {
 		svcerr_systemerr(rqstp->rq_xprt);
 		return(NULL);
-		
 	}
 
 	if (pid == 0) {
@@ -356,11 +367,14 @@ ypproc_all_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG( "all_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
 	  TORF(ok), TORF(secure), argp->domain, argp->map);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -405,11 +419,14 @@ ypproc_master_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG( "master_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
 	  TORF(ok), TORF(secure), argp->domain, argp->map);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -453,11 +470,14 @@ ypproc_order_2_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure = ypdb_secure(argp->domain,argp->map);
 
+	if (strchr(argp->domain, '/'))
+		goto bail;
 	YPLOG( "order_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
 	  TORF(ok), TORF(secure), argp->domain, argp->map);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -493,11 +513,14 @@ ypproc_maplist_2_svc(argp, rqstp)
 	struct ypmaplist *m;
 	char  *map_name;
 
+	if (strchr(*argp, '/'))
+		goto bail;
 	YPLOG("maplist_2: caller=[%s].%d, auth_ok=%s, domain=%s",
 	  inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
 	  *argp);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -597,6 +620,8 @@ ypproc_domain_1_svc(argp, rqstp)
 	static char domain_path[MAXPATHLEN];
 	struct stat finfo;
 
+	if (strchr(*argp, '/'))
+		goto bail;
 	snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, *argp);
 	result = (bool_t) ((stat(domain_path, &finfo) == 0) &&
 				    (finfo.st_mode & S_IFDIR));
@@ -606,6 +631,7 @@ ypproc_domain_1_svc(argp, rqstp)
 	      TORF(ok), *argp, TORF(result));
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -624,6 +650,8 @@ ypproc_domain_nonack_1_svc(argp, rqstp)
 	static char domain_path[MAXPATHLEN];
 	struct stat finfo;
 
+	if (strchr(*argp, '/'))
+		goto bail;
 	snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, *argp);
 	result = (bool_t) ((stat(domain_path, &finfo) == 0) &&
 				    (finfo.st_mode & S_IFDIR));
@@ -634,6 +662,7 @@ ypproc_domain_nonack_1_svc(argp, rqstp)
 	  *argp, TORF(result));
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -655,6 +684,8 @@ ypproc_match_1_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure;
 
+	if (strchr(argp->ypmatch_req_domain, '/'))
+		goto bail;
 	res.yp_resptype = YPMATCH_RESPTYPE;
 	res.ypmatch_resp_valptr = "";
 	res.ypmatch_resp_valsize = 0;
@@ -674,6 +705,7 @@ ypproc_match_1_svc(argp, rqstp)
 	  argp->ypmatch_req_keysize, argp->ypmatch_req_keyptr);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -706,6 +738,8 @@ ypproc_first_1_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure;
 
+	if (strchr(argp->ypfirst_req_domain, '/'))
+		goto bail;
 	res.yp_resptype = YPFIRST_RESPTYPE;
 	res.ypfirst_resp_valptr  = res.ypfirst_resp_keyptr  = "";
 	res.ypfirst_resp_valsize = res.ypfirst_resp_keysize = 0;
@@ -723,6 +757,7 @@ ypproc_first_1_svc(argp, rqstp)
 	  argp->ypfirst_req_domain, argp->ypfirst_req_map);
 	
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -754,6 +789,8 @@ ypproc_next_1_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure;
 
+	if (strchr(argp->ypnext_req_domain, '/'))
+		goto bail;
 	res.yp_resptype = YPNEXT_RESPTYPE;
 	res.ypnext_resp_valptr  = res.ypnext_resp_keyptr  = "";
 	res.ypnext_resp_valsize = res.ypnext_resp_keysize = 0;
@@ -773,6 +810,7 @@ ypproc_next_1_svc(argp, rqstp)
 	  argp->ypnext_req_keysize, argp->ypnext_req_keyptr);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -807,6 +845,8 @@ ypproc_poll_1_svc(argp, rqstp)
 	int ok = acl_check_host(&caller->sin_addr);
 	int secure;
 
+	if (strchr(argp->yppoll_req_domain, '/'))
+		goto bail;
 	res.yp_resptype = YPPOLL_RESPTYPE;
 	res.yppoll_resp_domain = argp->yppoll_req_domain;
 	res.yppoll_resp_map = argp->yppoll_req_map;
@@ -825,6 +865,7 @@ ypproc_poll_1_svc(argp, rqstp)
 	  argp->yppoll_req_domain, argp->yppoll_req_map);
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -855,6 +896,8 @@ ypproc_push_1_svc(argp, rqstp)
 	pid_t	pid;
 	char	yppush_proc[] = YPPUSH_PROC;
 
+	if (strchr(argp->yppush_req_domain, '/'))
+		goto bail;
 	if (argp->yp_reqtype != YPPUSH_REQTYPE) {
 		return(NULL);
 	}
@@ -870,6 +913,7 @@ ypproc_push_1_svc(argp, rqstp)
 		ok = FALSE;
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -902,6 +946,8 @@ ypproc_pull_1_svc(argp, rqstp)
 	pid_t	pid;
 	char	ypxfr_proc[] = YPXFR_PROC;
 
+	if (strchr(argp->yppull_req_domain, '/'))
+		goto bail;
 	if (argp->yp_reqtype != YPPULL_REQTYPE) {
 		return(NULL);
 	}
@@ -917,6 +963,7 @@ ypproc_pull_1_svc(argp, rqstp)
 		ok = FALSE;
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
@@ -950,6 +997,8 @@ ypproc_get_1_svc(argp, rqstp)
 	pid_t	pid;
 	char	ypxfr_proc[] = YPXFR_PROC;
 
+	if (strchr(argp->ypget_req_domain, '/'))
+		goto bail;
 	if (argp->yp_reqtype != YPGET_REQTYPE) {
 		return(NULL);
 	}
@@ -966,6 +1015,7 @@ ypproc_get_1_svc(argp, rqstp)
 		ok = FALSE;
 
 	if (!ok) {
+bail:
 		svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
 		return(NULL);
 	}
diff --git a/usr.sbin/ypserv/ypxfr/ypxfr.c b/usr.sbin/ypserv/ypxfr/ypxfr.c
index 6bcd6003642..fda6dbf27ad 100644
--- a/usr.sbin/ypserv/ypxfr/ypxfr.c
+++ b/usr.sbin/ypserv/ypxfr/ypxfr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ypxfr.c,v 1.15 1997/02/09 09:49:37 maja Exp $ */
+/*	$OpenBSD: ypxfr.c,v 1.16 1997/04/12 00:12:58 deraadt Exp $ */
 
 /*
  * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@@ -32,7 +32,7 @@
  */
 
 #ifndef LINT
-static char rcsid[] = "$OpenBSD: ypxfr.c,v 1.15 1997/02/09 09:49:37 maja Exp $";
+static char rcsid[] = "$OpenBSD: ypxfr.c,v 1.16 1997/04/12 00:12:58 deraadt Exp $";
 #endif
 
 #include <sys/types.h>
@@ -450,6 +450,8 @@ char *argv[];
 	    cflag++;
 	    break;
 	  case 'd':
+	    if (strchr(optarg, '/'))	/* Ha ha, we are not listening */
+		break;
 	    domain = optarg;
 	    break;
 	  case 'f':
@@ -459,6 +461,8 @@ char *argv[];
 	    host = optarg;
 	    break;
 	  case 's':
+	    if (strchr(optarg, '/'))	/* Ha ha, we are not listening */
+		break;
 	    srcdomain = optarg;
 	    break;
 	  case 'C':
@@ -532,6 +536,7 @@ char *argv[];
 		}
 	};
 
+	/* XXX this is raceable if portmap has holes! */
 	if (status > 0) {
 		
 	        yplog("Check for reserved port on host: %s", host); 
-- 
2.20.1