234622 – [libc] getgrent() issue with large NIS groups

Bug 234622 - [libc] getgrent() issue with large NIS groups

Summary: [libc] getgrent() issue with large NIS groups

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	12.2-RELEASE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2019-01-04 21:33 UTC by tcleamy
Modified:	2021-08-23 17:02 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Patch for 11.2 (2.54 KB, patch) 2019-01-04 21:33 UTC, tcleamy	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tcleamy 2019-01-04 21:33:38 UTC

Created attachment 200779 [details]
Patch for 11.2

getgrent misses large NIS groups so the group list for those users is incorrect.

To replicate simply make a large NIS group (500+ characters) and then run groups on one of those users.  From one of my systems:
> ypmatch crc group
crc::499:ccctim,itsnoopy,rodd,jkperla,ncmolina,ajnichol,itlm003,itlm005,itlm011,itlm012,itlm019,itlm022,itlm023,itlm031,itlm032,itlm033,itlm034,itlm035,itlm038,itlm039,itlm040,itlm041,itlm043,itlm045,itlm046,itlm049,itlm054,itlm055,itlm057,itlm061,itlm064,itlm067,itlm068,itlm070,itlm071,itlm072,itlm076,itlm079,itlm080,itlm082,itlm084,itlm086,itlm087,itlm088,itlm089,itlm091,itlm092,itlm094,itlm095,itlm097,itlm098,itlm099,itlm100,itlm104,itlm107,itlm109,itlm111,itlm112,itlm113,itlm114,itlm123,itlm125,itlm126,itlm127,itlm130,itlm134,itlm138,itlm140,itlm141,itlm145,itlm146,itlm147,itlm151,itlm167,itlm179,itlm196,itlm197

> groups ccctim
users lm hws projects office eyevocab roomres crcsuper

So while "ypmatch crc group" lists the entire group including ccctim, "groups ccctim" doesn't list crc.

I've seen this issue on various releases of FreeBSD 9, 10 & 11.  I think it's the same as 96840.  That bug report says fixed and closed, but I'm continuing to see the same issue.  I've been using that patch in 96840 to fix the bug each release.  So can you double check to see if the issue was really fixed?

I've attached the latest patch for FreeBSD 11.2.

Comment 1 Jilles Tjoelker freebsd_committer

2019-01-13 22:12:49 UTC

This patch looks conceptually correct: if getgrent_r() returns ERANGE, it must not advance the iterator. Apparently it is acceptable to call yp_first() or yp_next() with the same key multiple times.

The code in FreeBSD head advances the iterator when ERANGE is returned, so the excessively long group is discarded (but following groups will use a larger buffer).

Potential issue in the patch: reading *errnop in if (*errnop == ERANGE) { without ensuring it is meaningful by checking rv == NS_RETURN may not be correct.

Comment 2 tcleamy 2019-09-13 16:38:04 UTC

I ran into the same issue with FreeBSD 11.3.  And the same patch still works for me.

Comment 3 tcleamy 2020-06-30 20:12:38 UTC

I ran into the same bug in FreeBSD 11.4.  I'm still using the same patch to fix it.

Comment 4 tcleamy 2021-08-23 17:02:10 UTC

The bug still exists in FreeBSD 12.2.  I used the same patch to fix it.  The line numbers shifted a bit, but it worked.