projects / oweals / musl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 211264e)
fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name
authorRich Felker <dalias@aerifal.cx>
Sun, 29 Sep 2013 06:52:33 +0000 (02:52 -0400)
committerRich Felker <dalias@aerifal.cx>
Sun, 29 Sep 2013 06:52:33 +0000 (02:52 -0400)
bug report and patch by Michael Forney. the terminating null pointer
at the end of the gr_mem array was overwriting the beginning of the
string data, causing the gr_name member to always be a zero-length
string.

src/passwd/getgr_r.c patch | blob | history

diff --git a/src/passwd/getgr_r.c b/src/passwd/getgr_r.c
index 234c90131143fd98fa3fef7c5954d7da8855144f..3fe2e2b20b17ca4e182b8707ae68a4d1ebd8918c 100644 (file)
--- a/src/passwd/getgr_r.c
+++ b/src/passwd/getgr_r.c
@@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz
        while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) {
                if (name && !strcmp(name, gr->gr_name)
                || !name && gr->gr_gid == gid) {
-                       if (size < len + nmem*sizeof(char *) + 32) {
+                       if (size < len + (nmem+1)*sizeof(char *) + 32) {
                                rv = ERANGE;
                                break;
                        }
                        *res = gr;
                        buf += (16-(uintptr_t)buf)%16;
                        gr->gr_mem = (void *)buf;
-                       buf += nmem*sizeof(char *);
+                       buf += (nmem+1)*sizeof(char *);
                        memcpy(buf, line, len);
                        FIX(name);
                        FIX(passwd);
Unnamed repository; edit this file 'description' to name the repository.