netgroup_mkdb(8) calls abort() when _ng_parse() returns
_NG_ERROR for a malformed netgroup entry.
The switch in ng_load() at netgroup_mkdb.c:213 handles
_NG_NONE, _NG_NAME, and _NG_GROUP, but not _NG_ERROR (-1).
A truncated or malformed netgroup entry causes _ng_parse() to
return _NG_ERROR, which falls through to the default case:
default:
abort();
A 28-byte input reproduces the crash:
mygroup (host1, 1, dn1) (hos
Confirmed on OpenBSD 7.8/arm64 with the system binary.
Fix: handle _NG_ERROR with errx(), matching the existing
error handling at line 263 for other parse failures.
Found by AFL++ fuzzing.
Index: usr.sbin/netgroup_mkdb/netgroup_mkdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/netgroup_mkdb/netgroup_mkdb.c,v
retrieving revision 1.24
diff -u -p -r1.24 netgroup_mkdb.c
--- usr.sbin/netgroup_mkdb/netgroup_mkdb.c 4 Jan 2023 13:00:11 -0000
1.24
+++ usr.sbin/netgroup_mkdb/netgroup_mkdb.c
@@ -272,6 +272,9 @@ ng_load(const char *fname)
}
break;
+ case _NG_ERROR:
+ errx(1, "syntax error in %s", fname);
+
default:
abort();
break;
