diff -Ebru OpenPBS_2_3_16/src/iff/iff2.c OpenPBS_2_3_16.patched/src/iff/iff2.c --- OpenPBS_2_3_16/src/iff/iff2.c 2001-12-05 01:38:08.000000000 +0100 +++ OpenPBS_2_3_16.patched/src/iff/iff2.c 2006-09-27 16:01:28.000000000 +0200 @@ -106,6 +106,14 @@ static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $"; +#define _GNU_SOURCE +#include + +// we are lazy and do not check for errors here :( +uid_t __euid; +#define DROPEUID __euid = geteuid(); setresuid(getuid(), getuid(), geteuid()) +#define RESTOREEUID setresuid(getuid(), __euid, getuid()) + int pbs_errno; struct connect_handle connection[NCONNECTS]; @@ -135,6 +143,8 @@ extern int optind; extern char *optarg; + DROPEUID; + /* Need to unset LOCALDOMAIN if set, want local host name */ for (i=0; envp[i]; ++i) { @@ -176,12 +186,15 @@ if ((servport = atoi(argv[++optind])) <= 0) return (1); + RESTOREEUID; // we need a reserved port here for (i=0; i<10; i++) { sock = client_to_svr(hostaddr, (unsigned int)servport, 1); if (sock != PBS_NET_RC_RETRY) break; sleep(1); } + DROPEUID; + if (sock < 0) { fprintf(stderr, "pbs_iff: cannot connect to host\n"); return (4); Nur in OpenPBS_2_3_16.patched/src/iff: iff2.c~. diff -Ebru OpenPBS_2_3_16/src/mom_rcp/rcp.c OpenPBS_2_3_16.patched/src/mom_rcp/rcp.c --- OpenPBS_2_3_16/src/mom_rcp/rcp.c 1998-10-15 01:09:08.000000000 +0200 +++ OpenPBS_2_3_16.patched/src/mom_rcp/rcp.c 2006-09-27 15:06:30.000000000 +0200 @@ -135,7 +135,8 @@ #ifdef KERBEROS case 'k': dest_realm = dst_realm_buf; - (void)strncpy(dst_realm_buf, optarg, REALM_SZ); + memset(dst_realm_buf, 0, REALM_SZ); + (void)strncpy(dst_realm_buf, optarg, REALM_SZ-1); break; #ifdef CRYPT case 'x': @@ -197,13 +198,15 @@ if (fflag) { /* Follow "protocol", send data. */ (void)response(); - (void)setuid(userid); + if(setuid(userid) != 0) + errx(1, "can't change to uid %d", (int)userid); source(argc, argv); exit(errs); } if (tflag) { /* Receive data. */ - (void)setuid(userid); + if(setuid(userid) != 0) + errx(1, "can't change to uid %d", (int)userid); sink(argc, argv); exit(errs); } @@ -637,6 +640,9 @@ for (size = 0; isdigit(*cp);) size = size * 10 + (*cp++ - '0'); + if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance + SCREWUP("size becomes too big and swapped"); + if (*cp++ != ' ') SCREWUP("size not delimited"); if (targisdir) { @@ -644,12 +650,12 @@ static int cursize; size_t need; - need = strlen(targ) + strlen(cp) + 250; + need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later if (need > cursize) { - if (!(namebuf = malloc(need))) + if (!(namebuf = malloc(need))) // will not set a limit here run_err("%s", strerror(errno)); } - (void)sprintf(namebuf, "%s%s%s", targ, + (void)snprintf(namebuf, need, "%s%s%s", targ, *targ ? "/" : "", cp); np = namebuf; } else @@ -818,6 +824,8 @@ { char ch, *cp, resp, rbuf[BUFSIZ]; + memset(rbuf, 0, BUFSIZ); + if (read(rem, &resp, sizeof(resp)) != sizeof(resp)) lostconn(0); @@ -834,7 +842,7 @@ if (read(rem, &ch, sizeof(ch)) != sizeof(ch)) lostconn(0); *cp++ = ch; - } while (cp < &rbuf[BUFSIZ] && ch != '\n'); + } while (cp < &rbuf[BUFSIZ-1] && ch != '\n'); if (!iamremote) (void)write(STDERR_FILENO, rbuf, cp - rbuf); diff -Ebru OpenPBS_2_3_16/src/mom_rcp/util.c OpenPBS_2_3_16.patched/src/mom_rcp/util.c --- OpenPBS_2_3_16/src/mom_rcp/util.c 1998-10-15 01:09:13.000000000 +0200 +++ OpenPBS_2_3_16.patched/src/mom_rcp/util.c 2006-09-27 14:52:38.000000000 +0200 @@ -120,7 +120,11 @@ return (127); case 0: - (void)setuid(userid); + if(setuid(userid) != 0) + { + run_err("setuid(%u): %s", userid, strerror(errno)); + _exit(127); + } execl(_PATH_BSHELL, "sh", "-c", s, NULL); _exit(127); } @@ -129,6 +133,8 @@ return (status); } +// arbitrary limit +#define UPPERLIMIT 2^20 BUF * allocbuf(bp, fd, blksize) BUF *bp; @@ -141,6 +147,12 @@ run_err("fstat: %s", strerror(errno)); return (0); } + + if(blksize <= 0 || blksize > UPPERLIMIT) + { + run_err("blksize value is ivalid (either <= 0 or > %u)\n", UPPERLIMIT); + return 0; + } size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize; if (size == 0) size = blksize;