On Wed, Apr 01, 2026 at 05:59:17PM +0200, Renaud Allard wrote: > netgroup_mkdb(8) calls abort() when _ng_parse() returns > _NG_ERROR for a malformed netgroup entry. > > The switch in ng_load() at netgroup_mkdb.c:213 handles > _NG_NONE, _NG_NAME, and _NG_GROUP, but not _NG_ERROR (-1). > A truncated or malformed netgroup entry causes _ng_parse() to > return _NG_ERROR, which falls through to the default case: > > default: > abort(); > > A 28-byte input reproduces the crash: > > mygroup (host1, 1, dn1) (hos > > Confirmed on OpenBSD 7.8/arm64 with the system binary. > > Fix: handle _NG_ERROR with errx(), matching the existing > error handling at line 263 for other parse failures. > > Found by AFL++ fuzzing. > > Index: usr.sbin/netgroup_mkdb/netgroup_mkdb.c > =================================================================== > RCS file: /cvs/src/usr.sbin/netgroup_mkdb/netgroup_mkdb.c,v > retrieving revision 1.24 > diff -u -p -r1.24 netgroup_mkdb.c > --- usr.sbin/netgroup_mkdb/netgroup_mkdb.c 4 Jan 2023 13:00:11 -0000 > 1.24 > +++ usr.sbin/netgroup_mkdb/netgroup_mkdb.c > @@ -272,6 +272,9 @@ ng_load(const char *fname) > } > break; > > + case _NG_ERROR: > + errx(1, "syntax error in %s", fname); > + > default: > abort(); > break; >
thanks, committed.
