Attachment #101596 for bug #153495

View | Details | Raw Unified | Return to bug 153495
Collapse All | Expand All

Lines 106-111 Link Here

(-)OpenPBS_2_3_16/src/iff/iff2.c (+13 lines)
106		106
107	static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $";	107	static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $";
108		108
		109	#define _GNU_SOURCE
		110	#include <unistd.h>
		111
		112	// we are lazy and do not check for errors here :(
		113	uid_t __euid;
		114	#define DROPEUID __euid = geteuid(); setresuid(getuid(), getuid(), geteuid())
		115	#define RESTOREEUID setresuid(getuid(), __euid, getuid())
		116
109	int pbs_errno;	117	int pbs_errno;
110	struct connect_handle connection[NCONNECTS];	118	struct connect_handle connection[NCONNECTS];
111		119
Lines 135-140 Link Here
135	extern int optind;	143	extern int optind;
136	extern char *optarg;	144	extern char *optarg;
137		145
		146	DROPEUID;
		147
138	/* Need to unset LOCALDOMAIN if set, want local host name */	148	/* Need to unset LOCALDOMAIN if set, want local host name */
139		149
140	for (i=0; envp[i]; ++i) {	150	for (i=0; envp[i]; ++i) {
Lines 176-187 Link Here
176	if ((servport = atoi(argv[++optind])) <= 0)	186	if ((servport = atoi(argv[++optind])) <= 0)
177	return (1);	187	return (1);
178		188
		189	RESTOREEUID; // we need a reserved port here
179	for (i=0; i<10; i++) {	190	for (i=0; i<10; i++) {
180	sock = client_to_svr(hostaddr, (unsigned int)servport, 1);	191	sock = client_to_svr(hostaddr, (unsigned int)servport, 1);
181	if (sock != PBS_NET_RC_RETRY)	192	if (sock != PBS_NET_RC_RETRY)
182	break;	193	break;
183	sleep(1);	194	sleep(1);
184	}	195	}
		196	DROPEUID;
		197
185	if (sock < 0) {	198	if (sock < 0) {
186	fprintf(stderr, "pbs_iff: cannot connect to host\n");	199	fprintf(stderr, "pbs_iff: cannot connect to host\n");
187	return (4);	200	return (4);




#ifdef	KERBEROS
		case 'k':
			dest_realm = dst_realm_buf;
			memset(dst_realm_buf, 0, REALM_SZ);
			(void)strncpy(dst_realm_buf, optarg, REALM_SZ-1);
			break;
#ifdef CRYPT
		case 'x':


	if (fflag) {			/* Follow "protocol", send data. */
		(void)response();
		if(setuid(userid) != 0)
			errx(1, "can't change to uid %d", (int)userid);
		source(argc, argv);
		exit(errs);
	}

	if (tflag) {			/* Receive data. */
		if(setuid(userid) != 0)
			errx(1, "can't change to uid %d", (int)userid);
		sink(argc, argv);
		exit(errs);
	}


		for (size = 0; isdigit(*cp);)
			size = size * 10 + (*cp++ - '0');
		if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance
			SCREWUP("size becomes too big and swapped");

		if (*cp++ != ' ')
			SCREWUP("size not delimited");
		if (targisdir) {

			static int cursize;
			size_t need;

			need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later
			if (need > cursize) {
				if (!(namebuf = malloc(need))) // will not set a limit here
					run_err("%s", strerror(errno));
			}
			(void)snprintf(namebuf, need, "%s%s%s", targ,
			    *targ ? "/" : "", cp);
			np = namebuf;
		} else

{
	char ch, *cp, resp, rbuf[BUFSIZ];

	memset(rbuf, 0, BUFSIZ);

	if (read(rem, &resp, sizeof(resp)) != sizeof(resp))
		lostconn(0);


			if (read(rem, &ch, sizeof(ch)) != sizeof(ch))
				lostconn(0);
			*cp++ = ch;
		} while (cp < &rbuf[BUFSIZ-1] && ch != '\n');

		if (!iamremote)
			(void)write(STDERR_FILENO, rbuf, cp - rbuf);

Lines 120-126 Link Here

(-)OpenPBS_2_3_16/src/mom_rcp/util.c (-1 / +13 lines)
120	return (127);	120	return (127);
121		121
122	case 0:	122	case 0:
123	(void)setuid(userid);	123	if(setuid(userid) != 0)
		124	{
		125	run_err("setuid(%u): %s", userid, strerror(errno));
		126	_exit(127);
		127	}
124	execl(_PATH_BSHELL, "sh", "-c", s, NULL);	128	execl(_PATH_BSHELL, "sh", "-c", s, NULL);
125	_exit(127);	129	_exit(127);
126	}	130	}
Lines 129-134 Link Here
129	return (status);	133	return (status);
130	}	134	}
131		135
		136	// arbitrary limit
		137	#define UPPERLIMIT 2^20
132	BUF *	138	BUF *
133	allocbuf(bp, fd, blksize)	139	allocbuf(bp, fd, blksize)
134	BUF *bp;	140	BUF *bp;
Lines 141-146 Link Here
141	run_err("fstat: %s", strerror(errno));	147	run_err("fstat: %s", strerror(errno));
142	return (0);	148	return (0);
143	}	149	}
		150
		151	if(blksize <= 0 \|\| blksize > UPPERLIMIT)
		152	{
		153	run_err("blksize value is ivalid (either <= 0 or > %u)\n", UPPERLIMIT);
		154	return 0;
		155	}
144	size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize;	156	size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize;
145	if (size == 0)	157	if (size == 0)
146	size = blksize;	158	size = blksize;

Return to bug 153495

Lines 135-141 Link Here

(-)OpenPBS_2_3_16/src/mom_rcp/rcp.c (-7 / +15 lines)
135	#ifdef KERBEROS	135	#ifdef KERBEROS
136	case 'k':	136	case 'k':
137	dest_realm = dst_realm_buf;	137	dest_realm = dst_realm_buf;
138	(void)strncpy(dst_realm_buf, optarg, REALM_SZ);	138	memset(dst_realm_buf, 0, REALM_SZ);
		139	(void)strncpy(dst_realm_buf, optarg, REALM_SZ-1);
139	break;	140	break;
140	#ifdef CRYPT	141	#ifdef CRYPT
141	case 'x':	142	case 'x':
Lines 197-209 Link Here
197		198
198	if (fflag) { /* Follow "protocol", send data. */	199	if (fflag) { /* Follow "protocol", send data. */
199	(void)response();	200	(void)response();
200	(void)setuid(userid);	201	if(setuid(userid) != 0)
		202	errx(1, "can't change to uid %d", (int)userid);
201	source(argc, argv);	203	source(argc, argv);
202	exit(errs);	204	exit(errs);
203	}	205	}
204		206
205	if (tflag) { /* Receive data. */	207	if (tflag) { /* Receive data. */
206	(void)setuid(userid);	208	if(setuid(userid) != 0)
		209	errx(1, "can't change to uid %d", (int)userid);
207	sink(argc, argv);	210	sink(argc, argv);
208	exit(errs);	211	exit(errs);
209	}	212	}
Lines 637-642 Link Here
637		640
638	for (size = 0; isdigit(*cp);)	641	for (size = 0; isdigit(*cp);)
639	size = size * 10 + (*cp++ - '0');	642	size = size * 10 + (*cp++ - '0');
		643	if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance
		644	SCREWUP("size becomes too big and swapped");
		645
640	if (*cp++ != ' ')	646	if (*cp++ != ' ')
641	SCREWUP("size not delimited");	647	SCREWUP("size not delimited");
642	if (targisdir) {	648	if (targisdir) {
Lines 644-655 Link Here
644	static int cursize;	650	static int cursize;
645	size_t need;	651	size_t need;
646		652
647	need = strlen(targ) + strlen(cp) + 250;	653	need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later
648	if (need > cursize) {	654	if (need > cursize) {
649	if (!(namebuf = malloc(need)))	655	if (!(namebuf = malloc(need))) // will not set a limit here
650	run_err("%s", strerror(errno));	656	run_err("%s", strerror(errno));
651	}	657	}
652	(void)sprintf(namebuf, "%s%s%s", targ,	658	(void)snprintf(namebuf, need, "%s%s%s", targ,
653	*targ ? "/" : "", cp);	659	*targ ? "/" : "", cp);
654	np = namebuf;	660	np = namebuf;
655	} else	661	} else
Lines 818-823 Link Here
818	{	824	{
819	char ch, *cp, resp, rbuf[BUFSIZ];	825	char ch, *cp, resp, rbuf[BUFSIZ];
820		826
		827	memset(rbuf, 0, BUFSIZ);
		828
821	if (read(rem, &resp, sizeof(resp)) != sizeof(resp))	829	if (read(rem, &resp, sizeof(resp)) != sizeof(resp))
822	lostconn(0);	830	lostconn(0);
823		831
Lines 834-840 Link Here
834	if (read(rem, &ch, sizeof(ch)) != sizeof(ch))	842	if (read(rem, &ch, sizeof(ch)) != sizeof(ch))
835	lostconn(0);	843	lostconn(0);
836	*cp++ = ch;	844	*cp++ = ch;
837	} while (cp < &rbuf[BUFSIZ] && ch != '\n');	845	} while (cp < &rbuf[BUFSIZ-1] && ch != '\n');
838		846
839	if (!iamremote)	847	if (!iamremote)
840	(void)write(STDERR_FILENO, rbuf, cp - rbuf);	848	(void)write(STDERR_FILENO, rbuf, cp - rbuf);