From 9ad1d357e0db6175124257156f035a043c2ced8c Mon Sep 17 00:00:00 2001
From: Alan Somers <asomers@FreeBSD.org>
Date: Sat, 19 Sep 2020 19:08:27 +0000
Subject: fix integer underflow in getgrnam_r and getpwnam_r

Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
return ERANGE instead of 0.

Fix the user's buffer size check, and add a correct check for a too-small
nscd buffer.

PR:		248932
Event:		September 2020 Bugathon
Reviewed by:	markj
MFC after:	2 weeks
Sponsored by:	Axcient
Differential Revision: https://reviews.freebsd.org/D26204
---
 lib/libc/gen/getgrent.c | 17 +++++++++++++++--
 lib/libc/gen/getpwent.c | 11 +++++++++--
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/lib/libc/gen/getgrent.c b/lib/libc/gen/getgrent.c
index 650ba1de9a68..b3699cae3c45 100644
--- a/lib/libc/gen/getgrent.c
+++ b/lib/libc/gen/getgrent.c
@@ -334,15 +334,28 @@ grp_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
 	orig_buf_size = va_arg(ap, size_t);
 	ret_errno = va_arg(ap, int *);
 
-	if (orig_buf_size <
-	    buffer_size - sizeof(struct group) - sizeof(char *)) {
+	if (orig_buf_size + sizeof(struct group) + sizeof(char *) < buffer_size)
+	{
 		*ret_errno = ERANGE;
 		return (NS_RETURN);
+	} else if (buffer_size < sizeof(struct group) + sizeof(char *)) {
+		/*
+		 * nscd(8) sometimes returns buffer_size=1 for nonexistent
+		 * entries.
+		 */
+		*ret_errno = 0;
+		return (NS_NOTFOUND);
 	}
 
 	memcpy(grp, buffer, sizeof(struct group));
 	memcpy(&p, buffer + sizeof(struct group), sizeof(char *));
 
+	if (orig_buf_size + sizeof(struct group) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p < buffer_size) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
 	orig_buf = (char *)_ALIGN(orig_buf);
 	memcpy(orig_buf, buffer + sizeof(struct group) + sizeof(char *) +
 	    _ALIGN(p) - (size_t)p,
diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index 1f2ccf33150a..09f84f9576ee 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -389,10 +389,17 @@ pwd_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
 	orig_buf_size = va_arg(ap, size_t);
 	ret_errno = va_arg(ap, int *);
 
-	if (orig_buf_size <
-	    buffer_size - sizeof(struct passwd) - sizeof(char *)) {
+	if (orig_buf_size + sizeof(struct passwd) + sizeof(char *) <
+	    buffer_size) {
 		*ret_errno = ERANGE;
 		return (NS_RETURN);
+	} else if (buffer_size < sizeof(struct passwd) + sizeof(char *)) {
+		/*
+		 * nscd(8) sometimes returns buffer_size=1 for nonexistent
+		 * entries.
+		 */
+		*ret_errno = 0;
+		return (NS_NOTFOUND);
 	}
 
 	memcpy(pwd, buffer, sizeof(struct passwd));
-- 
cgit v1.2.3