+ if (!*res && (rv == 0 || rv == ENOENT || rv == ENOTDIR)) {
+ int32_t req = name ? GETPWBYNAME : GETPWBYUID;
+ const char *key;
+ int32_t passwdbuf[PW_LEN] = {0};
+ size_t len = 0;
+ char uidbuf[11] = {0};
+
+ if (name) {
+ key = name;
+ } else {
+ /* uid outside of this range can't be queried with the
+ * nscd interface, but might happen if uid_t ever
+ * happens to be a larger type (this is not true as of
+ * now)
+ */
+ if(uid < 0 || uid > UINT32_MAX) {
+ rv = 0;
+ goto done;
+ }
+ key = itoa(uidbuf, uid);
+ }
+
+ f = __nscd_query(req, key, passwdbuf, sizeof passwdbuf, (int[]){0});
+ if (!f) { rv = errno; goto done; }
+
+ if(!passwdbuf[PWFOUND]) { rv = 0; goto cleanup_f; }
+
+ /* A zero length response from nscd is invalid. We ignore
+ * invalid responses and just report an error, rather than
+ * trying to do something with them.
+ */
+ if (!passwdbuf[PWNAMELEN] || !passwdbuf[PWPASSWDLEN]
+ || !passwdbuf[PWGECOSLEN] || !passwdbuf[PWDIRLEN]
+ || !passwdbuf[PWSHELLLEN]) {
+ rv = EIO;
+ goto cleanup_f;
+ }
+
+ if ((passwdbuf[PWNAMELEN]|passwdbuf[PWPASSWDLEN]
+ |passwdbuf[PWGECOSLEN]|passwdbuf[PWDIRLEN]
+ |passwdbuf[PWSHELLLEN]) >= SIZE_MAX/8) {
+ rv = ENOMEM;
+ goto cleanup_f;
+ }
+
+ len = passwdbuf[PWNAMELEN] + passwdbuf[PWPASSWDLEN]
+ + passwdbuf[PWGECOSLEN] + passwdbuf[PWDIRLEN]
+ + passwdbuf[PWSHELLLEN];
+
+ if (len > *size || !*buf) {
+ char *tmp = realloc(*buf, len);
+ if (!tmp) {
+ rv = errno;
+ goto cleanup_f;
+ }
+ *buf = tmp;
+ *size = len;
+ }
+
+ if (!fread(*buf, len, 1, f)) {
+ rv = ferror(f) ? errno : EIO;
+ goto cleanup_f;
+ }
+
+ pw->pw_name = *buf;
+ pw->pw_passwd = pw->pw_name + passwdbuf[PWNAMELEN];
+ pw->pw_gecos = pw->pw_passwd + passwdbuf[PWPASSWDLEN];
+ pw->pw_dir = pw->pw_gecos + passwdbuf[PWGECOSLEN];
+ pw->pw_shell = pw->pw_dir + passwdbuf[PWDIRLEN];
+ pw->pw_uid = passwdbuf[PWUID];
+ pw->pw_gid = passwdbuf[PWGID];
+
+ /* Don't assume that nscd made sure to null terminate strings.
+ * It's supposed to, but malicious nscd should be ignored
+ * rather than causing a crash.
+ */
+ if (pw->pw_passwd[-1] || pw->pw_gecos[-1] || pw->pw_dir[-1]
+ || pw->pw_shell[passwdbuf[PWSHELLLEN]-1]) {
+ rv = EIO;
+ goto cleanup_f;
+ }
+
+ if (name && strcmp(name, pw->pw_name)
+ || !name && uid != pw->pw_uid) {
+ rv = EIO;
+ goto cleanup_f;
+ }
+
+
+ *res = pw;
+cleanup_f:
+ fclose(f);
+ goto done;
+ }
+