From 22562df07d1d1e7bb6a8adba067d8945f293c841 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 18 Oct 2009 02:33:42 -0400
Subject: [PATCH] Check that a nonlocal lookup by name returns the right name.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 nonlocal-group.c  |  5 +++++
 nonlocal-passwd.c |  5 +++++
 nonlocal-shadow.c | 11 ++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/nonlocal-group.c b/nonlocal-group.c
index a704241..83e5d12 100644
--- a/nonlocal-group.c
+++ b/nonlocal-group.c
@@ -329,6 +329,11 @@ _nss_nonlocal_getgrnam_r(const char *name, struct group *grp,
     if (status != NSS_STATUS_SUCCESS)
 	return status;
 
+    if (strcmp(name, grp->gr_name) != 0) {
+	syslog(LOG_ERR, "nss_nonlocal: discarding group %s from lookup for group %s\n", grp->gr_name, name);
+	return NSS_STATUS_NOTFOUND;
+    }
+
     return check_nonlocal_gid(name, grp->gr_gid, errnop);
 }
 
diff --git a/nonlocal-passwd.c b/nonlocal-passwd.c
index e915ea0..29e922b 100644
--- a/nonlocal-passwd.c
+++ b/nonlocal-passwd.c
@@ -329,6 +329,11 @@ _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
     if (status != NSS_STATUS_SUCCESS)
 	return status;
 
+    if (strcmp(name, pwd->pw_name) != 0) {
+	syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
+	return NSS_STATUS_NOTFOUND;
+    }
+
     status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
     if (status != NSS_STATUS_SUCCESS)
 	return status;
diff --git a/nonlocal-shadow.c b/nonlocal-shadow.c
index 6524ee8..f1e03a1 100644
--- a/nonlocal-shadow.c
+++ b/nonlocal-shadow.c
@@ -33,6 +33,7 @@
 #include <string.h>
 #include <dlfcn.h>
 #include <stdio.h>
+#include <syslog.h>
 #include <errno.h>
 #include <shadow.h>
 #include <nss.h>
@@ -179,5 +180,13 @@ _nss_nonlocal_getspnam_r(const char *name, struct spwd *pwd,
 	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
 	    break;
     } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
-    return status;
+    if (status != NSS_STATUS_SUCCESS)
+	return status;
+
+    if (strcmp(name, pwd->sp_namp) != 0) {
+	syslog(LOG_ERR, "nss_nonlocal: discarding shadow %s from lookup for shadow %s\n", pwd->sp_namp, name);
+	return NSS_STATUS_NOTFOUND;
+    }
+
+    return NSS_STATUS_SUCCESS;
 }
-- 
2.44.0