getgrent.c: adjust _nextypgroup() slightly so that it continues processing

the group map after encountering a badly formatted entry.

getpwent.c: same as above for _nextyppass(), and also turn a couple of
sprintf()s into snprintf()s to avoid potential buffer overruns. (The
other day I nearly went mad because of a username in my NIS database
that's actually 9 characters long instead of 8. Stuffing a 9-character
username into an 8-character buffer can do some strange things.)

(This reminds me: I hope somebody's planning to fix the buffer overrun
security hole in syslog(3) before 2.1 ships.)

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index 605ecac..71c0ae0 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -670,7 +670,7 @@ _getyppass(struct passwd *pw, const char *name, const char *map)
 
 	if(resultlen >= sizeof resultbuf) return 0;
 	strcpy(resultbuf, result);
-	sprintf (user, "%.*s", (strchr(result, ':') - result), result);
+	snprintf (user, sizeof(user), "%.*s", (strchr(result, ':') - result), result);
 	_pw_passwd.pw_fields = -1; /* Impossible value */
 	if (_scancaches((char *)&user)) {
 		free(result);
@@ -736,7 +736,7 @@ unpack:
 		}
 
 		strcpy(resultbuf, result);
-		sprintf(user, "%.*s", (strchr(result, ':') - result), result);
+		snprintf(user, sizeof(user), "%.*s", (strchr(result, ':') - result), result);
 		_pw_passwd.pw_fields = -1; /* Impossible value */
 		if (_scancaches((char *)&user)) {
 			free(result);
@@ -747,7 +747,10 @@ unpack:
 		if (_pw_passwd.pw_fields == -1)
 			goto tryagain;
 		if(result = strchr(resultbuf, '\n')) *result = '\0';
-		return(_pw_breakout_yp(pw, resultbuf, gotmaster));
+		if (_pw_breakout_yp(pw, resultbuf, gotmaster))
+			return(1);
+		else
+			goto tryagain;
 	}
 }