Created attachment 217545 [details]
Fix integer underflow in getgrent.c
When calling getgrnam_r for nonexistent group "root", nscd will for some reason return a 1-byte buffer. This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE. That, in turn, may lead applications to repeat the call with ever-larger buffers.
I haven't tried to debug nscd yet, but I think the correct thing to do in this case is for grp_unmarshall_func to return NS_UNAVAIL. That's what the attached patch does.
Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873 pkg would ignore ERANGE errors)
* enable nscd. I'm using it with LDAP, and in my nsswitch.conf I have "group: files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files to "root" (which does not exist).
It will print errors like:
pkg: getgrnam_r: Result too large
Code review in progress
A commit references this bug:
Date: Sat Sep 19 19:08:28 UTC 2020
New revision: 365910
fix integer underflow in getgrnam_r and getpwnam_r
Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
return ERANGE instead of 0.
Fix the user's buffer size check, and add a correct check for a too-small
Event: September 2020 Bugathon
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: Axcient
Differential Revision: https://reviews.freebsd.org/D26204