From a63a57f89692a86cb0e0973483b9f8f8a9206f7a Mon Sep 17 00:00:00 2001 From: millert Date: Sun, 28 Jul 2024 19:13:26 +0000 Subject: [PATCH] pwd_mkdb: limit db entries to _PW_BUF_LEN to match libc Otherwise, it is possible to create a passwd(5) entry that is too large for getpwent(3), which ignores database entries larger than _PW_BUF_LEN. This adds a check in db_store() so that we do not store an entry larger than getpwent(3) can read. Callers of pwd_mkdb(8), typically via pw_mkdb(3), already check for failure. In most cases, the checks in chpass(1) will prevent a user from creating an entry that is too large by changing their gecos field. However, it is only when storing the db record that we know the true size. OK deraadt@ --- usr.sbin/pwd_mkdb/pwd_mkdb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c index 14a0187eda1..30716fe1f0c 100644 --- a/usr.sbin/pwd_mkdb/pwd_mkdb.c +++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pwd_mkdb.c,v 1.61 2023/04/19 12:58:16 jsg Exp $ */ +/* $OpenBSD: pwd_mkdb.c,v 1.62 2024/07/28 19:13:26 millert Exp $ */ /*- * Copyright (c) 1991, 1993, 1994 @@ -608,6 +608,10 @@ db_store(FILE *fp, FILE *oldfp, DB *edp, DB *dp, struct passwd *pw, p += sizeof(int); data.size = p - buf; + /* getpwent() does not support entries > _PW_BUF_LEN. */ + if (data.size > _PW_BUF_LEN) + fatalx("%s: entry too large", pw->pw_name); + /* Write the secure record. */ if ((edp->put)(edp, &key, &data, dbmode) == -1) fatal("put"); -- 2.20.1