1#include <pthread.h>
  2#include <byteswap.h>
  3#include <string.h>
  4#include <unistd.h>
  5#include "pwf.h"
  6#include "nscd.h"
  7
  8static char *itoa(char *p, uint32_t x)
  9{
 10	// number of digits in a uint32_t + NUL
 11	p += 11;
 12	*--p = 0;
 13	do {
 14		*--p = '0' + x % 10;
 15		x /= 10;
 16	} while (x);
 17	return p;
 18}
 19
 20int __getpw_a(const char *name, uid_t uid, struct passwd *pw, char **buf, size_t *size, struct passwd **res)
 21{
 22	FILE *f;
 23	int cs;
 24	int rv = 0;
 25
 26	*res = 0;
 27
 28	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs);
 29
 30	f = fopen("/etc/passwd", "rbe");
 31	if (!f) {
 32		rv = errno;
 33		goto done;
 34	}
 35
 36	while (!(rv = __getpwent_a(f, pw, buf, size, res)) && *res) {
 37		if (name && !strcmp(name, (*res)->pw_name)
 38		|| !name && (*res)->pw_uid == uid)
 39			break;
 40	}
 41	fclose(f);
 42
 43	if (!*res && (rv == 0 || rv == ENOENT || rv == ENOTDIR)) {
 44		int32_t req = name ? GETPWBYNAME : GETPWBYUID;
 45		const char *key;
 46		int32_t passwdbuf[PW_LEN] = {0};
 47		size_t len = 0;
 48		char uidbuf[11] = {0};
 49
 50		if (name) {
 51			key = name;
 52		} else {
 53			/* uid outside of this range can't be queried with the
 54			 * nscd interface, but might happen if uid_t ever
 55			 * happens to be a larger type (this is not true as of
 56			 * now)
 57			 */
 58			if(uid < 0 || uid > UINT32_MAX) {
 59				rv = 0;
 60				goto done;
 61			}
 62			key = itoa(uidbuf, uid);
 63		}
 64
 65		f = __nscd_query(req, key, passwdbuf, sizeof passwdbuf, (int[]){0});
 66		if (!f) { rv = errno; goto done; }
 67
 68		if(!passwdbuf[PWFOUND]) { rv = 0; goto cleanup_f; }
 69
 70		/* A zero length response from nscd is invalid. We ignore
 71		 * invalid responses and just report an error, rather than
 72		 * trying to do something with them.
 73		 */
 74		if (!passwdbuf[PWNAMELEN] || !passwdbuf[PWPASSWDLEN]
 75		|| !passwdbuf[PWGECOSLEN] || !passwdbuf[PWDIRLEN]
 76		|| !passwdbuf[PWSHELLLEN]) {
 77			rv = EIO;
 78			goto cleanup_f;
 79		}
 80
 81		if ((passwdbuf[PWNAMELEN]|passwdbuf[PWPASSWDLEN]
 82		     |passwdbuf[PWGECOSLEN]|passwdbuf[PWDIRLEN]
 83		     |passwdbuf[PWSHELLLEN]) >= SIZE_MAX/8) {
 84			rv = ENOMEM;
 85			goto cleanup_f;
 86		}
 87
 88		len = passwdbuf[PWNAMELEN] + passwdbuf[PWPASSWDLEN]
 89		    + passwdbuf[PWGECOSLEN] + passwdbuf[PWDIRLEN]
 90		    + passwdbuf[PWSHELLLEN];
 91
 92		if (len > *size || !*buf) {
 93			char *tmp = realloc(*buf, len);
 94			if (!tmp) {
 95				rv = errno;
 96				goto cleanup_f;
 97			}
 98			*buf = tmp;
 99			*size = len;
100		}
101
102		if (!fread(*buf, len, 1, f)) {
103			rv = ferror(f) ? errno : EIO;
104			goto cleanup_f;
105		}
106
107		pw->pw_name = *buf;
108		pw->pw_passwd = pw->pw_name + passwdbuf[PWNAMELEN];
109		pw->pw_gecos = pw->pw_passwd + passwdbuf[PWPASSWDLEN];
110		pw->pw_dir = pw->pw_gecos + passwdbuf[PWGECOSLEN];
111		pw->pw_shell = pw->pw_dir + passwdbuf[PWDIRLEN];
112		pw->pw_uid = passwdbuf[PWUID];
113		pw->pw_gid = passwdbuf[PWGID];
114
115		/* Don't assume that nscd made sure to null terminate strings.
116		 * It's supposed to, but malicious nscd should be ignored
117		 * rather than causing a crash.
118		 */
119		if (pw->pw_passwd[-1] || pw->pw_gecos[-1] || pw->pw_dir[-1]
120		|| pw->pw_shell[passwdbuf[PWSHELLLEN]-1]) {
121			rv = EIO;
122			goto cleanup_f;
123		}
124
125		if (name && strcmp(name, pw->pw_name)
126		|| !name && uid != pw->pw_uid) {
127			rv = EIO;
128			goto cleanup_f;
129		}
130
131
132		*res = pw;
133cleanup_f:
134		fclose(f);
135		goto done;
136	}
137
138done:
139	pthread_setcancelstate(cs, 0);
140	if (rv) errno = rv;
141	return rv;
142}