OpenAFS Master Repository branch, master, updated. openafs-devel-1_9_2-114-gc57eddb

Gerrit Code Review gerrit@openafs.org
Fri, 31 Jan 2025 10:25:12 -0500 

The following commit has been merged in the master branch:
commit c57eddb1f24eba22902fe7726c54baedef642e06
Author: Andrew Deason <adeason@sinenomine.net>
Date:   Mon Sep 18 16:08:46 2023 -0500

    viced: Give an actual 'prname' to hpr_NameToId
    
    In MapName_r(), we cast 'uname' (a char*) into a prname* when
    populating a 'namelist' to give to hpr_NameToId(). A 'prname' is just
    an rxgen-derived typedef for char[PR_MAXNAMELEN], which looks similar
    to a char*, but is a fixed-size array.
    
    MapName_r() passes the given 'namelist' to hpr_NameToId(), which calls
    ubik_PR_NameToID() -> PR_NameToID() -> xdr_namelist() -> xdr_array()
    -> xdr_prname() -> xdr_vector(). That will send exactly PR_MAXNAMELEN
    characters of the given name to the wire, even if the string is only a
    few characters long. If the given string is significantly shorter than
    PR_MAXNAMELEN characters, then we may send uninitialized data from the
    stack on the wire.
    
    The ptserver should ignore any data after the trailing NUL byte in the
    string, but the data will still be exposed on the wire, possibly
    allowing others to see the uninitialized stack data.
    
    To fix this, copy the given string into a local blanked 'prname', and
    use that instead, avoiding the cast.
    
    Also fix the 'ptclient' program, which uses a proper 'prname' array,
    but doesn't initialize all of the memory, causing a similar problem.
    Just change a malloc() to calloc() to fix it.
    
    All other callers of PR_NameToID pass a properly-initialized 'prname'
    (or an array of them), or use strncpy() to copy the given string,
    which fills the given array with NUL bytes. However, change several
    callers to memset() or calloc() the relevant memory, to try to avoid
    similar mistakes in the future (for example, if someone changes a
    strncpy() call to strlcpy()).
    
    The issue in the fileserver calling hpr_NameToId() was introduced in
    commit 8a040cfd848410b75b4e5ac5498f00f073932598 (viced: remove static
    local realms), included in OpenAFS 1.8.0, since the given string was
    no longer NUL-filled by strncpy().
    
    FIXES 135444
    
    Change-Id: Ia1dfc56d0ca8e4b57264150761f576d2621f0c21
    Reviewed-on: https://gerrit.openafs.org/16147
    Reviewed-by: Andrew Deason <adeason@sinenomine.net>
    Tested-by: Andrew Deason <adeason@sinenomine.net>

 src/WINNT/afsd/cm_ioctl.c       |  2 +-
 src/libacl/test/acltest.c       |  2 +-
 src/libadmin/pts/afs_ptsAdmin.c |  4 ++++
 src/ptserver/ptclient.c         |  2 +-
 src/ptserver/pts.c              |  4 ++--
 src/ptserver/ptuser.c           |  6 +++---
 src/viced/host.c                | 10 +++++++++-
 7 files changed, 21 insertions(+), 9 deletions(-)

-- 
OpenAFS Master Repository