1    	/*
2    	 * System Security Services Daemon. NSS client interface
3    	 *
4    	 * Copyright (C) Simo Sorce 2007
5    	 *
6    	 * This program is free software; you can redistribute it and/or modify
7    	 * it under the terms of the GNU Lesser General Public License as
8    	 * published by the Free Software Foundation; either version 2.1 of the
9    	 * License, or (at your option) any later version.
10   	 *
11   	 * This program is distributed in the hope that it will be useful,
12   	 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13   	 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   	 * GNU Lesser General Public License for more details.
15   	 *
16   	 * You should have received a copy of the GNU Lesser General Public
17   	 * License along with this program; if not, write to the Free Software
18   	 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19   	 */
20   	
21   	/* GROUP database NSS interface */
22   	
23   	#include <nss.h>
24   	#include <errno.h>
25   	#include <sys/types.h>
26   	#include <unistd.h>
27   	#include <stdlib.h>
28   	#include <stdint.h>
29   	#include <string.h>
30   	#include "sss_cli.h"
31   	
32   	static struct sss_nss_getgrent_data {
33   	    size_t len;
34   	    size_t ptr;
35   	    uint8_t *data;
36   	} sss_nss_getgrent_data;
37   	
38   	static void sss_nss_getgrent_data_clean(void) {
39   	
40   	    if (sss_nss_getgrent_data.data != NULL) {
41   	        free(sss_nss_getgrent_data.data);
42   	        sss_nss_getgrent_data.data = NULL;
43   	    }
44   	    sss_nss_getgrent_data.len = 0;
45   	    sss_nss_getgrent_data.ptr = 0;
46   	}
47   	
48   	/* GETGRNAM Request:
49   	 *
50   	 * 0-X: string with name
51   	 *
52   	 * GERTGRGID Request:
53   	 *
54   	 * 0-7: 32bit number with gid
55   	 *
56   	 * INITGROUPS Request:
57   	 *
58   	 * 0-3: 32bit number with gid
59   	 * 4-7: 32bit unsigned with max num of entries
60   	 *
61   	 * Replies:
62   	 *
63   	 * 0-3: 32bit unsigned number of results
64   	 * 4-7: 32bit unsigned (reserved/padding)
65   	 *  For each result (64bit padded ?):
66   	 *  0-3: 32bit number gid
67   	 *  4-7: 32bit unsigned number of members
68   	 *  8-X: sequence of 0 terminated strings (name, passwd, mem..)
69   	 *
70   	 *  FIXME: do we need to pad so that each result is 32 bit aligned ?
71   	 */
72   	struct sss_nss_gr_rep {
73   	    struct group *result;
74   	    char *buffer;
75   	    size_t buflen;
76   	};
77   	
78   	static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr,
79   	                                 uint8_t *buf, size_t *len)
80   	{
81   	    size_t i, l, slen, ptmem, pad;
82   	    ssize_t dlen;
83   	    char *sbuf;
84   	    uint32_t mem_num;
85   	    uint32_t c;
86   	
87   	    if (*len < 11) { /* not enough space for data, bad packet */
88   	        return EBADMSG;
89   	    }
90   	
91   	    SAFEALIGN_COPY_UINT32(&c, buf, NULL);
92   	    pr->result->gr_gid = c;
93   	    SAFEALIGN_COPY_UINT32(&mem_num, buf+sizeof(uint32_t), NULL);
94   	
95   	    sbuf = (char *)&buf[8];
96   	    slen = *len - 8;
97   	    dlen = pr->buflen;
98   	
99   	    pr->result->gr_name = &(pr->buffer[0]);
100  	    i = 0;
101  	    while (slen > i && dlen > 0) {
102  	        pr->buffer[i] = sbuf[i];
103  	        if (pr->buffer[i] == '\0') break;
104  	        i++;
105  	        dlen--;
106  	    }
107  	    if (slen <= i) { /* premature end of buf */
108  	        return EBADMSG;
109  	    }
110  	    if (dlen <= 0) { /* not enough memory */
111  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
112  	    }
113  	    i++;
114  	    dlen--;
115  	
116  	    pr->result->gr_passwd = &(pr->buffer[i]);
117  	    while (slen > i && dlen > 0) {
118  	        pr->buffer[i] = sbuf[i];
119  	        if (pr->buffer[i] == '\0') break;
120  	        i++;
121  	        dlen--;
122  	    }
123  	    if (slen <= i) { /* premature end of buf */
124  	        return EBADMSG;
125  	    }
126  	    if (dlen <= 0) { /* not enough memory */
127  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
128  	    }
129  	    i++;
130  	    dlen--;
131  	
132  	    /* Make sure pr->buffer[i+pad] is 32 bit aligned */
133  	    pad = 0;
134  	    while((i + pad) % 4) {
135  	        pad++;
136  	    }
137  	
138  	    /* now members */
139  	    pr->result->gr_mem = (char **)&(pr->buffer[i+pad]);
140  	    ptmem = (sizeof(char *) * (mem_num + 1)) + pad;
141  	    if (ptmem > dlen) {
142  	        return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
143  	    }
144  	    dlen -= ptmem;
145  	    ptmem += i;
146  	    pr->result->gr_mem[mem_num] = NULL; /* terminate array */
147  	
148  	    for (l = 0; l < mem_num; l++) {
149  	        pr->result->gr_mem[l] = &(pr->buffer[ptmem]);
150  	        while ((slen > i) && (dlen > 0)) {
151  	            pr->buffer[ptmem] = sbuf[i];
152  	            if (pr->buffer[ptmem] == '\0') break;
153  	            i++;
154  	            dlen--;
155  	            ptmem++;
156  	        }
157  	        if (slen <= i) { /* premature end of buf */
158  	            return EBADMSG;
159  	        }
160  	        if (dlen <= 0) { /* not enough memory */
161  	            return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
162  	        }
163  	        i++;
164  	        dlen--;
165  	        ptmem++;
166  	    }
167  	
168  	    *len = slen -i;
169  	    return 0;
170  	}
171  	
172  	/* INITGROUP Reply:
173  	 *
174  	 * 0-3: 32bit unsigned number of results
175  	 * 4-7: 32bit unsigned (reserved/padding)
176  	 * For each result:
177  	 *  0-4: 32bit number with gid
178  	 */
179  	
180  	
181  	enum nss_status _nss_sss_initgroups_dyn(const char *user, gid_t group,
182  	                                        long int *start, long int *size,
183  	                                        gid_t **groups, long int limit,
184  	                                        int *errnop)
185  	{
186  	    struct sss_cli_req_data rd;
187  	    uint8_t *repbuf;
188  	    size_t replen;
189  	    enum nss_status nret;
190  	    uint32_t *rbuf;
191  	    uint32_t num_ret;
192  	    long int l, max_ret;
193  	
194  	    rd.len = strlen(user) +1;
195  	    rd.data = user;
196  	
Event alloc_arg: Calling allocation function "sss_nss_make_request" on "repbuf". [model]
Also see events: [var_assign][leaked_storage][leaked_storage]
197  	    nret = sss_nss_make_request(SSS_NSS_INITGR, &rd,
198  	                                &repbuf, &replen, errnop);
At conditional (1): "nret != 1": Taking false branch.
199  	    if (nret != NSS_STATUS_SUCCESS) {
200  	        return nret;
201  	    }
202  	
203  	    /* no results if not found */
204  	    num_ret = ((uint32_t *)repbuf)[0];
At conditional (2): "num_ret == 0U": Taking false branch.
205  	    if (num_ret == 0) {
206  	        free(repbuf);
207  	        return NSS_STATUS_NOTFOUND;
208  	    }
209  	    max_ret = num_ret;
210  	
211  	    /* check we have enough space in the buffer */
At conditional (3): "*size - *start < num_ret": Taking true branch.
212  	    if ((*size - *start) < num_ret) {
213  	        long int newsize;
214  	        gid_t *newgroups;
215  	
216  	        newsize = *size + num_ret;
At conditional (4): "limit > 0L": Taking true branch.
At conditional (5): "newsize > limit": Taking true branch.
217  	        if ((limit > 0) && (newsize > limit)) {
218  	            newsize = limit;
219  	            max_ret = newsize - *start;
220  	        }
221  	
222  	        newgroups = (gid_t *)realloc((*groups), newsize * sizeof(**groups));
At conditional (6): "!newgroups": Taking false branch.
223  	        if (!newgroups) {
224  	            *errnop = ENOMEM;
225  	            free(repbuf);
226  	            return NSS_STATUS_TRYAGAIN;
227  	        }
228  	        *groups = newgroups;
229  	        *size = newsize;
230  	    }
231  	
Event var_assign: Assigning: "rbuf" = "repbuf".
Also see events: [alloc_arg][leaked_storage][leaked_storage]
232  	    rbuf = &((uint32_t *)repbuf)[2];
At conditional (7): "l < max_ret": Taking true branch.
At conditional (8): "l < max_ret": Taking true branch.
At conditional (9): "l < max_ret": Taking false branch.
233  	    for (l = 0; l < max_ret; l++) {
234  	        (*groups)[*start] = rbuf[l];
235  	        *start += 1;
236  	    }
237  	
Event leaked_storage: Variable "rbuf" going out of scope leaks the storage it points to.
Event leaked_storage: Variable "repbuf" going out of scope leaks the storage it points to.
Also see events: [alloc_arg][var_assign]
238  	    return NSS_STATUS_SUCCESS;
239  	}
240  	
241  	
242  	enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result,
243  	                                    char *buffer, size_t buflen, int *errnop)
244  	{
245  	    struct sss_cli_req_data rd;
246  	    struct sss_nss_gr_rep grrep;
247  	    uint8_t *repbuf;
248  	    size_t replen, len;
249  	    enum nss_status nret;
250  	    int ret;
251  	
252  	    /* Caught once glibc passing in buffer == 0x0 */
253  	    if (!buffer || !buflen) return ERANGE;
254  	
255  	    rd.len = strlen(name) + 1;
256  	    rd.data = name;
257  	
258  	    nret = sss_nss_make_request(SSS_NSS_GETGRNAM, &rd,
259  	                                &repbuf, &replen, errnop);
260  	    if (nret != NSS_STATUS_SUCCESS) {
261  	        return nret;
262  	    }
263  	
264  	    grrep.result = result;
265  	    grrep.buffer = buffer;
266  	    grrep.buflen = buflen;
267  	
268  	    /* no results if not found */
269  	    if (((uint32_t *)repbuf)[0] == 0) {
270  	        free(repbuf);
271  	        return NSS_STATUS_NOTFOUND;
272  	    }
273  	
274  	    /* only 1 result is accepted for this function */
275  	    if (((uint32_t *)repbuf)[0] != 1) {
276  	        *errnop = EBADMSG;
277  	        return NSS_STATUS_TRYAGAIN;
278  	    }
279  	
280  	    len = replen - 8;
281  	    ret = sss_nss_getgr_readrep(&grrep, repbuf+8, &len);
282  	    free(repbuf);
283  	    if (ret) {
284  	        *errnop = ret;
285  	        return NSS_STATUS_TRYAGAIN;
286  	    }
287  	
288  	    return NSS_STATUS_SUCCESS;
289  	}
290  	
291  	enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *result,
292  	                                    char *buffer, size_t buflen, int *errnop)
293  	{
294  	    struct sss_cli_req_data rd;
295  	    struct sss_nss_gr_rep grrep;
296  	    uint8_t *repbuf;
297  	    size_t replen, len;
298  	    enum nss_status nret;
299  	    uint32_t group_gid;
300  	    int ret;
301  	
302  	    /* Caught once glibc passing in buffer == 0x0 */
303  	    if (!buffer || !buflen) return ERANGE;
304  	
305  	    group_gid = gid;
306  	    rd.len = sizeof(uint32_t);
307  	    rd.data = &group_gid;
308  	
309  	    nret = sss_nss_make_request(SSS_NSS_GETGRGID, &rd,
310  	                                &repbuf, &replen, errnop);
311  	    if (nret != NSS_STATUS_SUCCESS) {
312  	        return nret;
313  	    }
314  	
315  	    grrep.result = result;
316  	    grrep.buffer = buffer;
317  	    grrep.buflen = buflen;
318  	
319  	    /* no results if not found */
320  	    if (((uint32_t *)repbuf)[0] == 0) {
321  	        free(repbuf);
322  	        return NSS_STATUS_NOTFOUND;
323  	    }
324  	
325  	    /* only 1 result is accepted for this function */
326  	    if (((uint32_t *)repbuf)[0] != 1) {
327  	        *errnop = EBADMSG;
328  	        return NSS_STATUS_TRYAGAIN;
329  	    }
330  	
331  	    len = replen - 8;
332  	    ret = sss_nss_getgr_readrep(&grrep, repbuf+8, &len);
333  	    free(repbuf);
334  	    if (ret) {
335  	        *errnop = ret;
336  	        return NSS_STATUS_TRYAGAIN;
337  	    }
338  	
339  	    return NSS_STATUS_SUCCESS;
340  	}
341  	
342  	enum nss_status _nss_sss_setgrent(void)
343  	{
344  	    enum nss_status nret;
345  	    int errnop;
346  	
347  	    /* make sure we do not have leftovers, and release memory */
348  	    sss_nss_getgrent_data_clean();
349  	
350  	    nret = sss_nss_make_request(SSS_NSS_SETGRENT,
351  	                                NULL, NULL, NULL, &errnop);
352  	    if (nret != NSS_STATUS_SUCCESS) {
353  	        errno = errnop;
354  	        return nret;
355  	    }
356  	
357  	    return NSS_STATUS_SUCCESS;
358  	}
359  	
360  	enum nss_status _nss_sss_getgrent_r(struct group *result,
361  	                                    char *buffer, size_t buflen, int *errnop)
362  	{
363  	    struct sss_cli_req_data rd;
364  	    struct sss_nss_gr_rep grrep;
365  	    uint8_t *repbuf;
366  	    size_t replen;
367  	    enum nss_status nret;
368  	    uint32_t num_entries;
369  	    int ret;
370  	
371  	    /* Caught once glibc passing in buffer == 0x0 */
372  	    if (!buffer || !buflen) return ERANGE;
373  	
374  	    /* if there are leftovers return the next one */
375  	    if (sss_nss_getgrent_data.data != NULL &&
376  	        sss_nss_getgrent_data.ptr < sss_nss_getgrent_data.len) {
377  	
378  	        repbuf = (uint8_t *)sss_nss_getgrent_data.data +
379  	                    sss_nss_getgrent_data.ptr;
380  	        replen = sss_nss_getgrent_data.len -
381  	                    sss_nss_getgrent_data.ptr;
382  	
383  	        grrep.result = result;
384  	        grrep.buffer = buffer;
385  	        grrep.buflen = buflen;
386  	
387  	        ret = sss_nss_getgr_readrep(&grrep, repbuf, &replen);
388  	        if (ret) {
389  	            *errnop = ret;
390  	            return NSS_STATUS_TRYAGAIN;
391  	        }
392  	
393  	        /* advance buffer pointer */
394  	        sss_nss_getgrent_data.ptr = sss_nss_getgrent_data.len - replen;
395  	
396  	        return NSS_STATUS_SUCCESS;
397  	    }
398  	
399  	    /* release memory if any */
400  	    sss_nss_getgrent_data_clean();
401  	
402  	    /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */
403  	    num_entries = SSS_NSS_MAX_ENTRIES;
404  	    rd.len = sizeof(uint32_t);
405  	    rd.data = &num_entries;
406  	
407  	    nret = sss_nss_make_request(SSS_NSS_GETGRENT, &rd,
408  	                                &repbuf, &replen, errnop);
409  	    if (nret != NSS_STATUS_SUCCESS) {
410  	        return nret;
411  	    }
412  	
413  	    /* no results if not found */
414  	    if ((((uint32_t *)repbuf)[0] == 0) || (replen - 8 == 0)) {
415  	        free(repbuf);
416  	        return NSS_STATUS_NOTFOUND;
417  	    }
418  	
419  	    sss_nss_getgrent_data.data = repbuf;
420  	    sss_nss_getgrent_data.len = replen;
421  	    sss_nss_getgrent_data.ptr = 8; /* skip metadata fields */
422  	
423  	    /* call again ourselves, this will return the first result */
424  	    return _nss_sss_getgrent_r(result, buffer, buflen, errnop);
425  	}
426  	
427  	enum nss_status _nss_sss_endgrent(void)
428  	{
429  	    enum nss_status nret;
430  	    int errnop;
431  	
432  	    /* make sure we do not have leftovers, and release memory */
433  	    sss_nss_getgrent_data_clean();
434  	
435  	    nret = sss_nss_make_request(SSS_NSS_ENDGRENT,
436  	                                NULL, NULL, NULL, &errnop);
437  	    if (nret != NSS_STATUS_SUCCESS) {
438  	        errno = errnop;
439  	        return nret;
440  	    }
441  	
442  	    return NSS_STATUS_SUCCESS;
443  	}