1    	/*
2    	 * System Security Services Daemon. NSS client interface
3    	 *
4    	 * Copyright (C) Simo Sorce 2007
5    	 *
6    	 * This program is free software; you can redistribute it and/or modify
7    	 * it under the terms of the GNU Lesser General Public License as
8    	 * published by the Free Software Foundation; either version 2.1 of the
9    	 * License, or (at your option) any later version.
10   	 *
11   	 * This program is distributed in the hope that it will be useful,
12   	 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13   	 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   	 * GNU Lesser General Public License for more details.
15   	 *
16   	 * You should have received a copy of the GNU Lesser General Public
17   	 * License along with this program; if not, write to the Free Software
18   	 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19   	 */
20   	
21   	/* PASSWD database NSS interface */
22   	
23   	#include <nss.h>
24   	#include <errno.h>
25   	#include <sys/types.h>
26   	#include <unistd.h>
27   	#include <stdlib.h>
28   	#include <stdint.h>
29   	#include <string.h>
30   	#include "sss_cli.h"
31   	
32   	static struct sss_nss_getpwent_data {
33   	    size_t len;
34   	    size_t ptr;
35   	    uint8_t *data;
36   	} sss_nss_getpwent_data;
37   	
38   	static void sss_nss_getpwent_data_clean(void) {
39   	
40   	    if (sss_nss_getpwent_data.data != NULL) {
41   	        free(sss_nss_getpwent_data.data);
42   	        sss_nss_getpwent_data.data = NULL;
43   	    }
44   	    sss_nss_getpwent_data.len = 0;
45   	    sss_nss_getpwent_data.ptr = 0;
46   	}
47   	
48   	/* GETPWNAM Request:
49   	 *
50   	 * 0-X: string with name
51   	 *
52   	 * GERTPWUID Request:
53   	 *
54   	 * 0-3: 32bit number with uid
55   	 *
56   	 * Replies:
57   	 *
58   	 * 0-3: 32bit unsigned number of results
59   	 * 4-7: 32bit unsigned (reserved/padding)
60   	 * For each result:
61   	 *  0-3: 32bit number uid
62   	 *  4-7: 32bit number gid
63   	 *  8-X: sequence of 5, 0 terminated, strings (name, passwd, gecos, dir, shell)
64   	 */
65   	
66   	struct sss_nss_pw_rep {
67   	    struct passwd *result;
68   	    char *buffer;
69   	    size_t buflen;
70   	};
71   	
72   	static int sss_nss_getpw_readrep(struct sss_nss_pw_rep *pr,
73   	                                 uint8_t *buf, size_t *len)
74   	{
75   	    size_t i, slen, dlen;
76   	    char *sbuf;
77   	    uint32_t c;
78   	
79   	    if (*len < 13) { /* not enough space for data, bad packet */
80   	        return EBADMSG;
81   	    }
82   	
83   	    SAFEALIGN_COPY_UINT32(&c, buf, NULL);
84   	    pr->result->pw_uid = c;
85   	    SAFEALIGN_COPY_UINT32(&c, buf+sizeof(uint32_t), NULL);
86   	    pr->result->pw_gid = c;
87   	
88   	    sbuf = (char *)&buf[8];
89   	    slen = *len - 8;
90   	    dlen = pr->buflen;
91   	
92   	    i = 0;
93   	    pr->result->pw_name = &(pr->buffer[i]);
94   	    while (slen > i && dlen > 0) {
95   	        pr->buffer[i] = sbuf[i];
96   	        if (pr->buffer[i] == '\0') break;
97   	        i++;
98   	        dlen--;
99   	    }
100  	    if (slen <= i) { /* premature end of buf */
101  	        return EBADMSG;
102  	    }
103  	    if (dlen <= 0) { /* not enough memory */
104  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
105  	    }
106  	    i++;
107  	    dlen--;
108  	
109  	    pr->result->pw_passwd = &(pr->buffer[i]);
110  	    while (slen > i && dlen > 0) {
111  	        pr->buffer[i] = sbuf[i];
112  	        if (pr->buffer[i] == '\0') break;
113  	        i++;
114  	        dlen--;
115  	    }
116  	    if (slen <= i) { /* premature end of buf */
117  	        return EBADMSG;
118  	    }
119  	    if (dlen <= 0) { /* not enough memory */
120  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
121  	    }
122  	    i++;
123  	    dlen--;
124  	
125  	    pr->result->pw_gecos = &(pr->buffer[i]);
126  	    while (slen > i && dlen > 0) {
127  	        pr->buffer[i] = sbuf[i];
128  	        if (pr->buffer[i] == '\0') break;
129  	        i++;
130  	        dlen--;
131  	    }
132  	    if (slen <= i) { /* premature end of buf */
133  	        return EBADMSG;
134  	    }
135  	    if (dlen <= 0) { /* not enough memory */
136  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
137  	    }
138  	    i++;
139  	    dlen--;
140  	
141  	    pr->result->pw_dir = &(pr->buffer[i]);
142  	    while (slen > i && dlen > 0) {
143  	        pr->buffer[i] = sbuf[i];
144  	        if (pr->buffer[i] == '\0') break;
145  	        i++;
146  	        dlen--;
147  	    }
148  	    if (slen <= i) { /* premature end of buf */
149  	        return EBADMSG;
150  	    }
151  	    if (dlen <= 0) { /* not enough memory */
152  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
153  	    }
154  	    i++;
155  	    dlen--;
156  	
157  	    pr->result->pw_shell = &(pr->buffer[i]);
158  	    while (slen > i && dlen > 0) {
159  	        pr->buffer[i] = sbuf[i];
160  	        if (pr->buffer[i] == '\0') break;
161  	        i++;
162  	        dlen--;
163  	    }
164  	    if (slen <= i) { /* premature end of buf */
165  	        return EBADMSG;
166  	    }
167  	    if (dlen <= 0) { /* not enough memory */
168  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
169  	    }
170  	
171  	    *len = slen -i -1;
172  	
173  	    return 0;
174  	}
175  	
176  	enum nss_status _nss_sss_getpwnam_r(const char *name, struct passwd *result,
177  	                                    char *buffer, size_t buflen, int *errnop)
178  	{
179  	    struct sss_cli_req_data rd;
180  	    struct sss_nss_pw_rep pwrep;
181  	    uint8_t *repbuf;
182  	    size_t replen, len;
183  	    enum nss_status nret;
184  	    int ret;
185  	
186  	    /* Caught once glibc passing in buffer == 0x0 */
187  	    if (!buffer || !buflen) return ERANGE;
188  	
189  	    rd.len = strlen(name) + 1;
190  	    rd.data = name;
191  	
Event alloc_arg: Calling allocation function "sss_nss_make_request" on "repbuf". [model]
Also see events: [leaked_storage]
192  	    nret = sss_nss_make_request(SSS_NSS_GETPWNAM, &rd,
193  	                                &repbuf, &replen, errnop);
At conditional (1): "nret != 1": Taking false branch.
194  	    if (nret != NSS_STATUS_SUCCESS) {
195  	        return nret;
196  	    }
197  	
198  	    pwrep.result = result;
199  	    pwrep.buffer = buffer;
200  	    pwrep.buflen = buflen;
201  	
202  	    /* no results if not found */
At conditional (2): "(uint32_t*)repbuf[0] == 0U": Taking false branch.
203  	    if (((uint32_t *)repbuf)[0] == 0) {
204  	        free(repbuf);
205  	        return NSS_STATUS_NOTFOUND;
206  	    }
207  	
208  	    /* only 1 result is accepted for this function */
At conditional (3): "(uint32_t*)repbuf[0] != 1U": Taking true branch.
209  	    if (((uint32_t *)repbuf)[0] != 1) {
210  	        *errnop = EBADMSG;
Event leaked_storage: Variable "repbuf" going out of scope leaks the storage it points to.
Also see events: [alloc_arg]
211  	        return NSS_STATUS_TRYAGAIN;
212  	    }
213  	
214  	    len = replen - 8;
215  	    ret = sss_nss_getpw_readrep(&pwrep, repbuf+8, &len);
216  	    free(repbuf);
217  	    if (ret) {
218  	        *errnop = ret;
219  	        return NSS_STATUS_TRYAGAIN;
220  	    }
221  	
222  	    return NSS_STATUS_SUCCESS;
223  	}
224  	
225  	enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result,
226  	                                    char *buffer, size_t buflen, int *errnop)
227  	{
228  	    struct sss_cli_req_data rd;
229  	    struct sss_nss_pw_rep pwrep;
230  	    uint8_t *repbuf;
231  	    size_t replen, len;
232  	    enum nss_status nret;
233  	    uint32_t user_uid;
234  	    int ret;
235  	
236  	    /* Caught once glibc passing in buffer == 0x0 */
237  	    if (!buffer || !buflen) return ERANGE;
238  	
239  	    user_uid = uid;
240  	    rd.len = sizeof(uint32_t);
241  	    rd.data = &user_uid;
242  	
243  	    nret = sss_nss_make_request(SSS_NSS_GETPWUID, &rd,
244  	                                &repbuf, &replen, errnop);
245  	    if (nret != NSS_STATUS_SUCCESS) {
246  	        return nret;
247  	    }
248  	
249  	    pwrep.result = result;
250  	    pwrep.buffer = buffer;
251  	    pwrep.buflen = buflen;
252  	
253  	    /* no results if not found */
254  	    if (((uint32_t *)repbuf)[0] == 0) {
255  	        free(repbuf);
256  	        return NSS_STATUS_NOTFOUND;
257  	    }
258  	
259  	    /* only 1 result is accepted for this function */
260  	    if (((uint32_t *)repbuf)[0] != 1) {
261  	        *errnop = EBADMSG;
262  	        return NSS_STATUS_TRYAGAIN;
263  	    }
264  	
265  	    len = replen - 8;
266  	    ret = sss_nss_getpw_readrep(&pwrep, repbuf+8, &len);
267  	    free(repbuf);
268  	    if (ret) {
269  	        *errnop = ret;
270  	        return NSS_STATUS_TRYAGAIN;
271  	    }
272  	
273  	    return NSS_STATUS_SUCCESS;
274  	}
275  	
276  	enum nss_status _nss_sss_setpwent(void)
277  	{
278  	    enum nss_status nret;
279  	    int errnop;
280  	
281  	    /* make sure we do not have leftovers, and release memory */
282  	    sss_nss_getpwent_data_clean();
283  	
284  	    nret = sss_nss_make_request(SSS_NSS_SETPWENT,
285  	                                NULL, NULL, NULL, &errnop);
286  	    if (nret != NSS_STATUS_SUCCESS) {
287  	        errno = errnop;
288  	        return nret;
289  	    }
290  	
291  	    return NSS_STATUS_SUCCESS;
292  	}
293  	
294  	enum nss_status _nss_sss_getpwent_r(struct passwd *result,
295  	                                    char *buffer, size_t buflen,
296  	                                    int *errnop)
297  	{
298  	    struct sss_cli_req_data rd;
299  	    struct sss_nss_pw_rep pwrep;
300  	    uint8_t *repbuf;
301  	    size_t replen;
302  	    enum nss_status nret;
303  	    uint32_t num_entries;
304  	    int ret;
305  	
306  	    /* Caught once glibc passing in buffer == 0x0 */
307  	    if (!buffer || !buflen) return ERANGE;
308  	
309  	    /* if there are leftovers return the next one */
310  	    if (sss_nss_getpwent_data.data != NULL &&
311  	        sss_nss_getpwent_data.ptr < sss_nss_getpwent_data.len) {
312  	
313  	        repbuf = sss_nss_getpwent_data.data + sss_nss_getpwent_data.ptr;
314  	        replen = sss_nss_getpwent_data.len - sss_nss_getpwent_data.ptr;
315  	
316  	        pwrep.result = result;
317  	        pwrep.buffer = buffer;
318  	        pwrep.buflen = buflen;
319  	
320  	        ret = sss_nss_getpw_readrep(&pwrep, repbuf, &replen);
321  	        if (ret) {
322  	            *errnop = ret;
323  	            return NSS_STATUS_TRYAGAIN;
324  	        }
325  	
326  	        /* advance buffer pointer */
327  	        sss_nss_getpwent_data.ptr = sss_nss_getpwent_data.len - replen;
328  	
329  	        return NSS_STATUS_SUCCESS;
330  	    }
331  	
332  	    /* release memory if any */
333  	    sss_nss_getpwent_data_clean();
334  	
335  	    /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */
336  	    num_entries = SSS_NSS_MAX_ENTRIES;
337  	    rd.len = sizeof(uint32_t);
338  	    rd.data = &num_entries;
339  	
340  	    nret = sss_nss_make_request(SSS_NSS_GETPWENT, &rd,
341  	                                &repbuf, &replen, errnop);
342  	    if (nret != NSS_STATUS_SUCCESS) {
343  	        return nret;
344  	    }
345  	
346  	    /* no results if not found */
347  	    if ((((uint32_t *)repbuf)[0] == 0) || (replen - 8 == 0)) {
348  	        free(repbuf);
349  	        return NSS_STATUS_NOTFOUND;
350  	    }
351  	
352  	    sss_nss_getpwent_data.data = repbuf;
353  	    sss_nss_getpwent_data.len = replen;
354  	    sss_nss_getpwent_data.ptr = 8; /* skip metadata fields */
355  	
356  	    /* call again ourselves, this will return the first result */
357  	    return _nss_sss_getpwent_r(result, buffer, buflen, errnop);
358  	}
359  	
360  	enum nss_status _nss_sss_endpwent(void)
361  	{
362  	    enum nss_status nret;
363  	    int errnop;
364  	
365  	    /* make sure we do not have leftovers, and release memory */
366  	    sss_nss_getpwent_data_clean();
367  	
368  	    nret = sss_nss_make_request(SSS_NSS_ENDPWENT,
369  	                                NULL, NULL, NULL, &errnop);
370  	    if (nret != NSS_STATUS_SUCCESS) {
371  	        errno = errnop;
372  	        return nret;
373  	    }
374  	
375  	    return NSS_STATUS_SUCCESS;
376  	}