Bug 234622

Summary:

[libc] getgrent() issue with large NIS groups

Product:

Base System

Reporter:

tcleamy

Component:

kern

Assignee:

freebsd-bugs (Nobody) <bugs>

Status:

Open ---

Severity:

Affects Some People

CC:

jilles

Priority:

---

Keywords:

patch

Version:

12.2-RELEASE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Patch for 11.2	none

Description tcleamy 2019-01-04 21:33:38 UTC

Created attachment 200779 [details]
Patch for 11.2

getgrent misses large NIS groups so the group list for those users is incorrect.

To replicate simply make a large NIS group (500+ characters) and then run groups on one of those users.  From one of my systems:
> ypmatch crc group
crc::499:ccctim,itsnoopy,rodd,jkperla,ncmolina,ajnichol,itlm003,itlm005,itlm011,itlm012,itlm019,itlm022,itlm023,itlm031,itlm032,itlm033,itlm034,itlm035,itlm038,itlm039,itlm040,itlm041,itlm043,itlm045,itlm046,itlm049,itlm054,itlm055,itlm057,itlm061,itlm064,itlm067,itlm068,itlm070,itlm071,itlm072,itlm076,itlm079,itlm080,itlm082,itlm084,itlm086,itlm087,itlm088,itlm089,itlm091,itlm092,itlm094,itlm095,itlm097,itlm098,itlm099,itlm100,itlm104,itlm107,itlm109,itlm111,itlm112,itlm113,itlm114,itlm123,itlm125,itlm126,itlm127,itlm130,itlm134,itlm138,itlm140,itlm141,itlm145,itlm146,itlm147,itlm151,itlm167,itlm179,itlm196,itlm197

> groups ccctim
users lm hws projects office eyevocab roomres crcsuper

So while "ypmatch crc group" lists the entire group including ccctim, "groups ccctim" doesn't list crc.

I've seen this issue on various releases of FreeBSD 9, 10 & 11.  I think it's the same as 96840.  That bug report says fixed and closed, but I'm continuing to see the same issue.  I've been using that patch in 96840 to fix the bug each release.  So can you double check to see if the issue was really fixed?

I've attached the latest patch for FreeBSD 11.2.

Comment 1 Jilles Tjoelker freebsd_committer

2019-01-13 22:12:49 UTC

This patch looks conceptually correct: if getgrent_r() returns ERANGE, it must not advance the iterator. Apparently it is acceptable to call yp_first() or yp_next() with the same key multiple times.

The code in FreeBSD head advances the iterator when ERANGE is returned, so the excessively long group is discarded (but following groups will use a larger buffer).

Potential issue in the patch: reading *errnop in if (*errnop == ERANGE) { without ensuring it is meaningful by checking rv == NS_RETURN may not be correct.

Comment 2 tcleamy 2019-09-13 16:38:04 UTC

I ran into the same issue with FreeBSD 11.3.  And the same patch still works for me.

Comment 3 tcleamy 2020-06-30 20:12:38 UTC

I ran into the same bug in FreeBSD 11.4.  I'm still using the same patch to fix it.

Comment 4 tcleamy 2021-08-23 17:02:10 UTC

The bug still exists in FreeBSD 12.2.  I used the same patch to fix it.  The line numbers shifted a bit, but it worked.