1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From 23b8e3bc95620b0bd90a78ce0d926942c12b45da Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Sun, 29 Sep 2013 02:52:33 -0400
Subject: [PATCH] fix off-by-one error in getgrnam_r and getgrgid_r, clobbering
gr_name
bug report and patch by Michael Forney. the terminating null pointer
at the end of the gr_mem array was overwriting the beginning of the
string data, causing the gr_name member to always be a zero-length
string.
---
src/passwd/getgr_r.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/passwd/getgr_r.c b/src/passwd/getgr_r.c
index 234c901..3fe2e2b 100644
--- a/src/passwd/getgr_r.c
+++ b/src/passwd/getgr_r.c
@@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz
while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) {
if (name && !strcmp(name, gr->gr_name)
|| !name && gr->gr_gid == gid) {
- if (size < len + nmem*sizeof(char *) + 32) {
+ if (size < len + (nmem+1)*sizeof(char *) + 32) {
rv = ERANGE;
break;
}
*res = gr;
buf += (16-(uintptr_t)buf)%16;
gr->gr_mem = (void *)buf;
- buf += nmem*sizeof(char *);
+ buf += (nmem+1)*sizeof(char *);
memcpy(buf, line, len);
FIX(name);
FIX(passwd);
--
1.8.4
|
