Attachment #76619 for bug #155003

View | Details | Raw Unified | Return to bug 155003
Collapse All | Expand All

Lines 243-282 int flush_userHash_to_file(DBM *dbm_ptr, Link Here

(-)file_not_specified_in_diff (-2 / +3 lines)
243	/* format is name:x:uid:gid:gecos:dir:shell:userfdn:passwdHash:number of gids:	262	/* format is name:x:uid:gid:gecos:dir:shell:userfdn:passwdHash:number of gids:
244	gid1:gid2:gid3......	263	gid1:gid2:gid3......
245	*/	264	*/
246	sprintf(str,"%s:%s:%x:%x:",userHashEntry->pwd->pw_name,	265	snprintf(str,len-1,"%s:%s:%x:%x:",userHashEntry->pwd->pw_name,
Lines 366-377 int flush_groupHash_to_file(DBM *dbm_ptr Link Here
366	syslog(LOG_DEBUG,"Unable to allocate memory for group string");	418	syslog(LOG_DEBUG,"Unable to allocate memory for group string");
367	return MALLOC_ERROR;	419	return MALLOC_ERROR;
368	}	420	}
		421	memset(str,0,len);
369		422
370	/* format is name:x:gid:member_count:member1:member2:.... */	423	/* format is name:x:gid:member_count:member1:member2:.... */
371	sptr = str;	424	sptr = str;
372	sprintf(str,"%s:%s:%x:%x:",groupHashEntry->grp->gr_name,	425	snprintf(str,len-1, "%s:%s:%x:%x:",groupHashEntry->grp->gr_name,

Lines 1223-1229 NSS_STATUS getGrpbyName_fromNDS(nds_nss_ Link Here

(-)novell-lum.bak/novell-lum-2.2.0/namcd/nss_ldap.c (-2 / +2 lines)
1223	return error;	1223	return error;
1224	}	1224	}
1225		1225
1226	sprintf(filter, "%s%s%s%s%s","(&(objectclass=", UNIXGROUPOBJECT, ")(cn=", name, "))");// XXX tom: snprintf()?	1226	sprintf(filter, "%s%s%s%s%s","(&(objectclass=", UNIXGROUPOBJECT, ")(cn=", name, "))");
1227		1227
1228	if ((status = searchAndFillGrpStruct_fromNDS(nss_priv->ldapprivate.ld,	1228	if ((status = searchAndFillGrpStruct_fromNDS(nss_priv->ldapprivate.ld,
1229	LDAP_SCOPE_BASE,	1229	LDAP_SCOPE_BASE,
Lines 2955-2961 NSS_STATUS populate_userHash_fromNDS(nds Link Here
2955		2955
2956	if ((dn = ldap_get_dn(nss_priv->ldapprivate.ld, e)) != NULL)	2956	if ((dn = ldap_get_dn(nss_priv->ldapprivate.ld, e)) != NULL)
2957	{	2957	{
2958	fdn = (char*)calloc((strlen(dn)+1), sizeof(char)); // XXX tom: check for NULL	2958	fdn = (char*)calloc((strlen(dn)+1), sizeof(char));
2959	strcpy(fdn, dn);	2959	strcpy(fdn, dn);
2960	ldap_memfree(dn);	2960	ldap_memfree(dn);
2961	}	2961	}




	if (flag==LENANDDATA)
	{
		int nb = *len,nbr;
		*name = (char*)malloc(nb);
		if (NULL == *name)
		{
			syslog(LOG_ERR, "readFromSock: Unable to allocate memory.");
			return MALLOC_ERROR;
		}
		/* read the name from socket */
		if ((nbr = _nds_nss_readFromSock(sockfd,*name, *len, NORESPONSE_TIMEOUT)) != nb)
		{
			syslog(LOG_ERR,"readFromSock: Error reading from socket (len and data), errno=%d.",errno);
			//write_errToSock(sockfd,errno);

#endif

	nb = *len;
	*name = (char*)malloc(nb);

	if (*name == NULL)
	{

	}

	/* read the name from the socket */
	if ((nbr = _nds_nss_readFromSock(sockfd, *name, *len, NORESPONSE_TIMEOUT)) != nb)
	{
		syslog(LOG_ERR,"readFromSockExt: Error reading name from the socket, errno=%d.",errno);
		*name = NULL;

	syslog(LOG_DEBUG,"readFromSockExt: Password length = %d.", *lenForPass);
#endif

	nb = *lenForPass;
	if (nb != 0 )
	{
		*pass = (char*)malloc(nb);

		if (*pass == NULL)
		{

			err++;
			break;
		}
		if ((ofd = open (dst_name, O_WRONLY|O_CREAT, 0)) < 0 ||
			chown (dst_name, uid == (uid_t) -1 ? sb.st_uid:uid,
					gid == (gid_t) -1 ? sb.st_gid:gid) ||
				chmod (dst_name, sb.st_mode & 07777)) {

Lines 68-74 int SetLMandNTpassword(LDAP *handle,char Link Here

(-)novell-lum.bak/novell-lum-2.2.0/pam/ntsolsync.c (-2 / +2 lines)
68	//attrValues=(DDCVALUE *)malloc(SIZE);	68	//attrValues=(DDCVALUE *)malloc(SIZE);
69	//currentattributeValuePointer=attrValues;	69	//currentattributeValuePointer=attrValues;
70	//memset(attrValues,0,SIZE);	70	//memset(attrValues,0,SIZE);
71	strcpy(password,newpassword); // XXX tom: can we be sure that it fits in the buffer?	71	strcpy(password,newpassword);
72		72
73	//Get the Lan Manager password hash to store in user attribute	73	//Get the Lan Manager password hash to store in user attribute
74	HashLMpassword(password, passwordB,passwordD);	74	HashLMpassword(password, passwordB,passwordD);
Lines 445-451 int HashNTpassword(pnstr8 newPassword Link Here
445	&messageDigest);	445	&messageDigest);
446		446
447		447
448	/* Encrypt the NT OWF password using a random value as the key. // XXX tom: if this really need to be random rand() will not work. same situation on other places	448	/* Encrypt the NT OWF password using a random value as the key.
449	*/	449	*/
450	des_ecb_encrypt_with_index(	450	des_ecb_encrypt_with_index(
451	(PDES_CLEAR_BLOCK)&messageDigest,	451	(PDES_CLEAR_BLOCK)&messageDigest,

Lines 65-71 static void _pam_log (int error, const c Link Here

(-)novell-lum.bak/novell-lum-2.2.0/pam/pam_ap.c (-1 / +1 lines)
65	openlog (identification, LOG_PID, LOG_AUTH);	65	openlog (identification, LOG_PID, LOG_AUTH);
66	/* openlog (identification, LOG_PID, LOG_LOCAL0); */	66	/* openlog (identification, LOG_PID, LOG_LOCAL0); */
67	setlogmask (LOG_UPTO (LOG_DEBUG));	67	setlogmask (LOG_UPTO (LOG_DEBUG));
68	syslog (error, buffer); // XXX tom: possible fmt str bug when called with user supplied data	68	syslog (error, buffer);
69	closelog ();	69	closelog ();
70	}	70	}
71		71





			if (isPAMServiceOnExcludeList(pamh, userFDN, service, userinfo.pw_gid) == 0)
			{
				sprintf(infomsg,PAM_EXCLUDE_LIST, service, username);
				_nds_pam_display_converse(pamh, PAM_TEXT_INFO, infomsg,NORESPFLAG,dummychar1);
#ifdef DEBUG
				syslog(LOG_ERR,"PAM_NAM: pam_sm_authenticate(): PAM service for [%s] is excluded for user [%s].\n", service, username);

			return PAM_SUCCESS;

		case ERR_PASSWD_EXPIRED:
			return PAM_SUCCESS;

		case ERR_LOGIN_LOCKOUT:
		case ERR_MAXIMUM_LOGINS_EXCEEDED:


				if (_nds_pam_read_options(argc,(const char **)argv,storeoldpass,OPTIONS) == PAM_SUCCESS)
				{
					strcpy(oldpass,storeoldpass);
				}
/* do a NULL bind here if the connection state has not been stored 
*by the auth module*/




	{
		if (resp && resp->resp)
		{
			strcpy(msgresp, resp->resp);
			free(resp->resp);
			free(resp);
			return PAM_SUCCESS;

	{
		if (resp && resp->resp)
		{
			strcpy(msgresp1, resp->resp);
			pmsg[0] = &msg[0];
			msg[0].msg_style = msgstyle;
			msg[0].msg = msgdisp2;

			{
				if (resp1 && resp1->resp)
				{
					strcpy(msgresp2, resp1->resp);
					free(resp);
					free(resp1);
					return PAM_SUCCESS;


void init_sec_salt(char *sec_salt)
{
	sec_salt[0] = 'k';
	sec_salt[1] = 'y';
	sec_salt[2] = '\0';
	return;

				for ( i = 0; values[ i ] != NULL; i++ )
				{
					if (strcmp(attribute,attr[0])==0)
						strcpy(val,values[i]);
				}
				ldap_value_free( values );
			}

				for ( i = 0; values[ i ] != NULL; i++ )
				{
					if (strcmp(attribute,attrs[0])==0)
						strcpy(usrkey,values[i]);
				}
				ldap_value_free( values );
			}

		goto err;
	}

	cert.data = (void *)malloc(cert.length);
	if (NULL == cert.data)
	{
		syslog(LOG_ERR,"cert_callback():Could not allocate buffer for obtaining cert");

	int found=0;
	char temp[MAX_ARRYLEN], *value;
	FILE *fp;
	fp=fopen("/CNtoFDN","r");
	fseek(fp,0L,SEEK_SET);
	while (!feof(fp))
	{

{
	int i,sign,c,j;

	radix = radix;

	if ((sign =n)<0)
		n=-n;


int CryptPasswordForCache(const char *password, char *cryptPass)
{
  char salt[] = "$1$LLBSALT$";
  char *temp, buffer[128];

  temp = buffer;

		return errorval;
	}

	strcpy(userFDN, pstr);

	free(buffer);
	return NAM_SUCCESS;       

Return to bug 155003

Lines 206-219 int readFromSock(int sockfd, int flag, i Link Here

(-)novell-lum.bak/novell-lum-2.2.0/namcd/requests.c (-7 / +7 lines)
206	if (flag==LENANDDATA)	206	if (flag==LENANDDATA)
207	{	207	{
208	int nb = *len,nbr;	208	int nb = *len,nbr;
209	name = (char)malloc(nb); // XXX tom: why should we trust this value?	209	name = (char)malloc(nb);
210	if (NULL == *name)	210	if (NULL == *name)
211	{	211	{
212	syslog(LOG_ERR, "readFromSock: Unable to allocate memory.");	212	syslog(LOG_ERR, "readFromSock: Unable to allocate memory.");
213	return MALLOC_ERROR;	213	return MALLOC_ERROR;
214	}	214	}
215	/* read the name from socket */	215	/* read the name from socket */
216	if ((nbr = _nds_nss_readFromSock(sockfd,name, len, NORESPONSE_TIMEOUT)) != nb) // XXX tom: can this overflow *name?	216	if ((nbr = _nds_nss_readFromSock(sockfd,name, len, NORESPONSE_TIMEOUT)) != nb)
217	{	217	{
218	syslog(LOG_ERR,"readFromSock: Error reading from socket (len and data), errno=%d.",errno);	218	syslog(LOG_ERR,"readFromSock: Error reading from socket (len and data), errno=%d.",errno);
219	//write_errToSock(sockfd,errno);	219	//write_errToSock(sockfd,errno);
Lines 245-251 int readFromSockExt(int sockfd, int *len Link Here
245	#endif	245	#endif
246		246
247	nb = *len;	247	nb = *len;
248	name = (char)malloc(nb); // XXX tom: untrusted value	248	name = (char)malloc(nb);
249		249
250	if (*name == NULL)	250	if (*name == NULL)
251	{	251	{
Lines 255-261 int readFromSockExt(int sockfd, int *len Link Here
255	}	255	}
256		256
257	/* read the name from the socket */	257	/* read the name from the socket */
258	if ((nbr = _nds_nss_readFromSock(sockfd, name, len, NORESPONSE_TIMEOUT)) != nb) // XXX tom: possible overflow	258	if ((nbr = _nds_nss_readFromSock(sockfd, name, len, NORESPONSE_TIMEOUT)) != nb)
259	{	259	{
260	syslog(LOG_ERR,"readFromSockExt: Error reading name from the socket, errno=%d.",errno);	260	syslog(LOG_ERR,"readFromSockExt: Error reading name from the socket, errno=%d.",errno);
261	*name = NULL;	261	*name = NULL;
Lines 278-287 int readFromSockExt(int sockfd, int *len Link Here
278	syslog(LOG_DEBUG,"readFromSockExt: Password length = %d.", *lenForPass);	278	syslog(LOG_DEBUG,"readFromSockExt: Password length = %d.", *lenForPass);
279	#endif	279	#endif
280		280
281	nb = *lenForPass; // XXX tom: untrusted value	281	nb = *lenForPass;
282	if (nb != 0 )	282	if (nb != 0 )
283	{	283	{
284	pass = (char)malloc(nb); // XXX tom: can result in DoS, let nb be -1	284	pass = (char)malloc(nb);
285		285
286	if (*pass == NULL)	286	if (*pass == NULL)
287	{	287	{
Lines 354-360 static int copy_tree(const char *src_roo Link Here
354	err++;	284	err++;
355	break;	285	break;
356	}	286	}
357	if ((ofd = open (dst_name, O_WRONLY\|O_CREAT, 0)) < 0 \|\| // XXX tom: this will follow sym links. a problem?	287	if ((ofd = open (dst_name, O_WRONLY\|O_CREAT, 0)) < 0 \|\|
358	chown (dst_name, uid == (uid_t) -1 ? sb.st_uid:uid,	288	chown (dst_name, uid == (uid_t) -1 ? sb.st_uid:uid,
359	gid == (gid_t) -1 ? sb.st_gid:gid) \|\|	289	gid == (gid_t) -1 ? sb.st_gid:gid) \|\|
360	chmod (dst_name, sb.st_mode & 07777)) {	290	chmod (dst_name, sb.st_mode & 07777)) {

Lines 531-537 extern int pam_sm_authenticate(pam_handl Link Here

(-)novell-lum.bak/novell-lum-2.2.0/pam/pamfunc.c (-3 / +3 lines)
531		531
532	if (isPAMServiceOnExcludeList(pamh, userFDN, service, userinfo.pw_gid) == 0)	532	if (isPAMServiceOnExcludeList(pamh, userFDN, service, userinfo.pw_gid) == 0)
533	{	533	{
534	sprintf(infomsg,PAM_EXCLUDE_LIST, service, username); // XXX tom: buffer overflow?	534	sprintf(infomsg,PAM_EXCLUDE_LIST, service, username);
535	_nds_pam_display_converse(pamh, PAM_TEXT_INFO, infomsg,NORESPFLAG,dummychar1);	535	_nds_pam_display_converse(pamh, PAM_TEXT_INFO, infomsg,NORESPFLAG,dummychar1);
536	#ifdef DEBUG	536	#ifdef DEBUG
537	syslog(LOG_ERR,"PAM_NAM: pam_sm_authenticate(): PAM service for [%s] is excluded for user [%s].\n", service, username);	537	syslog(LOG_ERR,"PAM_NAM: pam_sm_authenticate(): PAM service for [%s] is excluded for user [%s].\n", service, username);
Lines 558-564 extern int pam_sm_authenticate(pam_handl Link Here
558	return PAM_SUCCESS;	558	return PAM_SUCCESS;
559		559
560	case ERR_PASSWD_EXPIRED:	560	case ERR_PASSWD_EXPIRED:
561	return PAM_SUCCESS; // XXX tom: is that the right behavior?	561	return PAM_SUCCESS;
562		562
563	case ERR_LOGIN_LOCKOUT:	563	case ERR_LOGIN_LOCKOUT:
564	case ERR_MAXIMUM_LOGINS_EXCEEDED:	564	case ERR_MAXIMUM_LOGINS_EXCEEDED:
Lines 1483-1489 extern int pam_sm_chauthtok(pam_handle_t Link Here
1483		1315
1484	if (_nds_pam_read_options(argc,(const char **)argv,storeoldpass,OPTIONS) == PAM_SUCCESS)	1316	if (_nds_pam_read_options(argc,(const char **)argv,storeoldpass,OPTIONS) == PAM_SUCCESS)
1485	{	1317	{
1486	strcpy(oldpass,storeoldpass); // XXX tom: does it fit?	1318	strcpy(oldpass,storeoldpass);
1487	}	1319	}
1488	/* do a NULL bind here if the connection state has not been stored	1320	/* do a NULL bind here if the connection state has not been stored
1489	by the auth module/	1321	by the auth module/

Lines 111-117 int _nds_pam_display_converse(pam_handle Link Here

(-)novell-lum.bak/novell-lum-2.2.0/pam/pam_misc.c (-11 / +11 lines)
111	{	111	{
112	if (resp && resp->resp)	112	if (resp && resp->resp)
113	{	113	{
114	strcpy(msgresp, resp->resp); // XXX tom: does it fit?	114	strcpy(msgresp, resp->resp);
115	free(resp->resp);	115	free(resp->resp);
116	free(resp);	116	free(resp);
117	return PAM_SUCCESS;	117	return PAM_SUCCESS;
Lines 141-147 int _nds_pam_pass_converse(pam_handle_t Link Here
141	{	141	{
142	if (resp && resp->resp)	142	if (resp && resp->resp)
143	{	143	{
144	strcpy(msgresp1, resp->resp); // XXX tom: does it fit?	144	strcpy(msgresp1, resp->resp);
145	pmsg[0] = &msg[0];	145	pmsg[0] = &msg[0];
146	msg[0].msg_style = msgstyle;	146	msg[0].msg_style = msgstyle;
147	msg[0].msg = msgdisp2;	147	msg[0].msg = msgdisp2;
Lines 149-155 int _nds_pam_pass_converse(pam_handle_t Link Here
149	{	149	{
150	if (resp1 && resp1->resp)	150	if (resp1 && resp1->resp)
151	{	151	{
152	strcpy(msgresp2, resp1->resp); // XXX tom: does it fit?	152	strcpy(msgresp2, resp1->resp);
153	free(resp);	153	free(resp);
154	free(resp1);	154	free(resp1);
155	return PAM_SUCCESS;	155	return PAM_SUCCESS;
Lines 239-245 void _nds_cleanup_chars(pam_handle_t *pa Link Here
239		239
240	void init_sec_salt(char *sec_salt)	240	void init_sec_salt(char *sec_salt)
241	{	241	{
242	sec_salt[0] = 'k'; // XXX tom: a constant salt is a non-existing salt	242	sec_salt[0] = 'k';
243	sec_salt[1] = 'y';	243	sec_salt[1] = 'y';
244	sec_salt[2] = '\0';	244	sec_salt[2] = '\0';
245	return;	245	return;
Lines 353-359 int search(LDAP handle,char userFDN, c Link Here
353	for ( i = 0; values[ i ] != NULL; i++ )	353	for ( i = 0; values[ i ] != NULL; i++ )
354	{	354	{
355	if (strcmp(attribute,attr[0])==0)	355	if (strcmp(attribute,attr[0])==0)
356	strcpy(val,values[i]); // XXX tom: does it fit?	356	strcpy(val,values[i]);
357	}	357	}
358	ldap_value_free( values );	358	ldap_value_free( values );
359	}	359	}
Lines 450-456 int _nds_GetUnixKeyForUser(pam_handle_t Link Here
450	for ( i = 0; values[ i ] != NULL; i++ )	450	for ( i = 0; values[ i ] != NULL; i++ )
451	{	451	{
452	if (strcmp(attribute,attrs[0])==0)	452	if (strcmp(attribute,attrs[0])==0)
453	strcpy(usrkey,values[i]); // XXX tom: does it fit?	453	strcpy(usrkey,values[i]);
454	}	454	}
455	ldap_value_free( values );	455	ldap_value_free( values );
456	}	456	}
Lines 866-872 int LIBCALL cert_callback( void *pHandle Link Here
866	goto err;	866	goto err;
867	}	867	}
868		868
869	cert.data = (void *)malloc(cert.length); // XXX tom: can we trust length? looking at NLDAPsdk revealed that we can not :(	869	cert.data = (void *)malloc(cert.length);
870	if (NULL == cert.data)	870	if (NULL == cert.data)
871	{	871	{
872	syslog(LOG_ERR,"cert_callback():Could not allocate buffer for obtaining cert");	872	syslog(LOG_ERR,"cert_callback():Could not allocate buffer for obtaining cert");
Lines 1420-1426 NSS_STATUS search_database(char *cn,char Link Here
1420	int found=0;	1420	int found=0;
1421	char temp[MAX_ARRYLEN], *value;	1421	char temp[MAX_ARRYLEN], *value;
1422	FILE *fp;	1422	FILE *fp;
1423	fp=fopen("/CNtoFDN","r"); // XXX tom: what is that?	1423	fp=fopen("/CNtoFDN","r");
1424	fseek(fp,0L,SEEK_SET);	1424	fseek(fp,0L,SEEK_SET);
1425	while (!feof(fp))	1425	while (!feof(fp))
1426	{	1426	{
Lines 1450-1456 void itoa(int n, char s[], int radix) Link Here
1450	{	1450	{
1451	int i,sign,c,j;	1451	int i,sign,c,j;
1452		1452
1453	radix = radix; // XXX tom: ??? :)	1453	radix = radix;
1454		1454
1455	if ((sign =n)<0)	1455	if ((sign =n)<0)
1456	n=-n;	1456	n=-n;
Lines 2041-2047 int setPasswordForName(const char *userN Link Here
2041		2041
2042	int CryptPasswordForCache(const char password, char cryptPass)	2042	int CryptPasswordForCache(const char password, char cryptPass)
2043	{	2043	{
2044	char salt[] = "$1$LLBSALT$"; // XXX tom: constant salt!	2044	char salt[] = "$1$LLBSALT$";
2045	char *temp, buffer[128];	2045	char *temp, buffer[128];
2046		2046
2047	temp = buffer;	2047	temp = buffer;
Lines 2799-2805 int namGetUserFDNfromUIDCacheOnly(int ui Link Here
2799	return errorval;	2799	return errorval;
2800	}	2800	}
2801		2801
2802	strcpy(userFDN, pstr); // XXX tom: does it fit?	2802	strcpy(userFDN, pstr);
2803		2803
2804	free(buffer);	2804	free(buffer);
2805	return NAM_SUCCESS;	2805	return NAM_SUCCESS;