fluencelabs/musl
1
0
Fork 0
mirror of https://github.com/fluencelabs/musl synced 2025-07-31 14:21:57 +00:00
Code Issues Projects Releases Wiki Activity

fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name

Browse Source 
bug report and patch by Michael Forney. the terminating null pointer
at the end of the gr_mem array was overwriting the beginning of the
string data, causing the gr_name member to always be a zero-length
string.
This commit is contained in:
Rich Felker
2013-09-29 02:52:33 -04:00
parent 211264e46a
commit 23b8e3bc95
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/passwd/getgr_r.c
View File

@@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz
while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) { while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) {
if (name && !strcmp(name, gr->gr_name) if (name && !strcmp(name, gr->gr_name)
|| !name && gr->gr_gid == gid) { || !name && gr->gr_gid == gid) {
if (size < len + nmem*sizeof(char *) + 32) { if (size < len + (nmem+1)*sizeof(char *) + 32) {
rv = ERANGE; rv = ERANGE;
break; break;
} }
*res = gr; *res = gr;
buf += (16-(uintptr_t)buf)%16; buf += (16-(uintptr_t)buf)%16;
gr->gr_mem = (void *)buf; gr->gr_mem = (void *)buf;
buf += nmem*sizeof(char *); buf += (nmem+1)*sizeof(char *);
memcpy(buf, line, len); memcpy(buf, line, len);
FIX(name); FIX(name);
FIX(passwd); FIX(passwd);