Gentoo Attachment #101596 for bug #153495

View | Details | Raw Unified
Collapse All | Expand All

(-) OpenPBS_2_3_16/src/iff/iff2.c (+13 lines)

Lines 106-111	Link Here

static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $";

static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $";

#define _GNU_SOURCE

#include <unistd.h>

// we are lazy and do not check for errors here :(

uid_t __euid;

#define DROPEUID __euid = geteuid(); setresuid(getuid(), getuid(), geteuid())

#define RESTOREEUID setresuid(getuid(), __euid, getuid())

int pbs_errno;

int pbs_errno;

struct connect_handle connection[NCONNECTS];

struct connect_handle connection[NCONNECTS];

Lines 135-140	Link Here

	extern int   optind;

	extern int   optind;

	extern char *optarg;

	extern char *optarg;

	DROPEUID;

	/* Need to unset LOCALDOMAIN if set, want local host name */

	/* Need to unset LOCALDOMAIN if set, want local host name */

	for (i=0; envp[i]; ++i) {

	for (i=0; envp[i]; ++i) {

Lines 176-187	Link Here

	if ((servport = atoi(argv[++optind])) <= 0)

	if ((servport = atoi(argv[++optind])) <= 0)

		return (1);

		return (1);

	RESTOREEUID;	// we need a reserved port here

	for (i=0; i<10; i++) {

	for (i=0; i<10; i++) {

		sock = client_to_svr(hostaddr, (unsigned int)servport, 1);

		sock = client_to_svr(hostaddr, (unsigned int)servport, 1);

		if (sock != PBS_NET_RC_RETRY)

		if (sock != PBS_NET_RC_RETRY)

			break;

			break;

		sleep(1);

		sleep(1);

	DROPEUID;

	if (sock < 0) {

	if (sock < 0) {

		fprintf(stderr, "pbs_iff: cannot connect to host\n");

		fprintf(stderr, "pbs_iff: cannot connect to host\n");

		return (4);

		return (4);

(-) OpenPBS_2_3_16/src/mom_rcp/rcp.c (-7 / +15 lines)

Lines 135-141	Link Here

#ifdef	KERBEROS

#ifdef	KERBEROS

		case 'k':

		case 'k':

			dest_realm = dst_realm_buf;

			dest_realm = dst_realm_buf;

			(void)strncpy(dst_realm_buf, optarg, REALM_SZ);

			memset(dst_realm_buf, 0, REALM_SZ);

			(void)strncpy(dst_realm_buf, optarg, REALM_SZ-1);

			break;

			break;

#ifdef CRYPT

#ifdef CRYPT

		case 'x':

		case 'x':

Lines 197-209	Link Here

	if (fflag) {			/* Follow "protocol", send data. */

	if (fflag) {			/* Follow "protocol", send data. */

		(void)response();

		(void)response();

		(void)setuid(userid);

		if(setuid(userid) != 0)

			errx(1, "can't change to uid %d", (int)userid);

		source(argc, argv);

		source(argc, argv);

		exit(errs);

		exit(errs);

	if (tflag) {			/* Receive data. */

	if (tflag) {			/* Receive data. */

		(void)setuid(userid);

		if(setuid(userid) != 0)

			errx(1, "can't change to uid %d", (int)userid);

		sink(argc, argv);

		sink(argc, argv);

		exit(errs);

		exit(errs);

Lines 637-642	Link Here

		for (size = 0; isdigit(*cp);)

		for (size = 0; isdigit(*cp);)

			size = size * 10 + (*cp++ - '0');

			size = size * 10 + (*cp++ - '0');

		if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance

			SCREWUP("size becomes too big and swapped");

		if (*cp++ != ' ')

		if (*cp++ != ' ')

			SCREWUP("size not delimited");

			SCREWUP("size not delimited");

		if (targisdir) {

		if (targisdir) {

Lines 644-655	Link Here

			static int cursize;

			static int cursize;

			size_t need;

			size_t need;

			need = strlen(targ) + strlen(cp) + 250;

			need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later

			if (need > cursize) {

			if (need > cursize) {

				if (!(namebuf = malloc(need)))

				if (!(namebuf = malloc(need))) // will not set a limit here

					run_err("%s", strerror(errno));

					run_err("%s", strerror(errno));

			(void)sprintf(namebuf, "%s%s%s", targ,

			(void)snprintf(namebuf, need, "%s%s%s", targ,

			    *targ ? "/" : "", cp);

			    *targ ? "/" : "", cp);

			np = namebuf;

			np = namebuf;

		} else

		} else

Lines 818-823	Link Here

	char ch, *cp, resp, rbuf[BUFSIZ];

	char ch, *cp, resp, rbuf[BUFSIZ];

	memset(rbuf, 0, BUFSIZ);

	if (read(rem, &resp, sizeof(resp)) != sizeof(resp))

	if (read(rem, &resp, sizeof(resp)) != sizeof(resp))

		lostconn(0);

		lostconn(0);

Lines 834-840	Link Here

			if (read(rem, &ch, sizeof(ch)) != sizeof(ch))

			if (read(rem, &ch, sizeof(ch)) != sizeof(ch))

				lostconn(0);

				lostconn(0);

			*cp++ = ch;

			*cp++ = ch;

		} while (cp < &rbuf[BUFSIZ] && ch != '\n');

		} while (cp < &rbuf[BUFSIZ-1] && ch != '\n');

		if (!iamremote)

		if (!iamremote)

			(void)write(STDERR_FILENO, rbuf, cp - rbuf);

			(void)write(STDERR_FILENO, rbuf, cp - rbuf);

(-) OpenPBS_2_3_16/src/mom_rcp/util.c (-1 / +13 lines)

Lines 120-126	Link Here

		return (127);

		return (127);

	case 0:

	case 0:

		(void)setuid(userid);

		if(setuid(userid) != 0)

			run_err("setuid(%u): %s", userid, strerror(errno));

			_exit(127);

		execl(_PATH_BSHELL, "sh", "-c", s, NULL);

		execl(_PATH_BSHELL, "sh", "-c", s, NULL);

		_exit(127);

		_exit(127);

Lines 129-134	Link Here

	return (status);

	return (status);

// arbitrary limit

#define UPPERLIMIT 2^20

BUF *

BUF *

allocbuf(bp, fd, blksize)

allocbuf(bp, fd, blksize)

	BUF *bp;

	BUF *bp;

Lines 141-146	Link Here

		run_err("fstat: %s", strerror(errno));

		run_err("fstat: %s", strerror(errno));

		return (0);

		return (0);

	if(blksize <= 0 || blksize > UPPERLIMIT)

		run_err("blksize value is ivalid (either <= 0 or > %u)\n", UPPERLIMIT);

		return 0;

	size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize;

	size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize;

	if (size == 0)

	if (size == 0)

		size = blksize;

		size = blksize;

Attachment #101596: OpenPBS_2_3_16-security.diff for bug #153495