From: Rich Felker Date: Sun, 29 Sep 2013 06:52:33 +0000 (-0400) Subject: fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name X-Git-Tag: v0.9.15~110 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=23b8e3bc95620b0bd90a78ce0d926942c12b45da;p=oweals%2Fmusl.git fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name bug report and patch by Michael Forney. the terminating null pointer at the end of the gr_mem array was overwriting the beginning of the string data, causing the gr_name member to always be a zero-length string. --- diff --git a/src/passwd/getgr_r.c b/src/passwd/getgr_r.c index 234c9013..3fe2e2b2 100644 --- a/src/passwd/getgr_r.c +++ b/src/passwd/getgr_r.c @@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) { if (name && !strcmp(name, gr->gr_name) || !name && gr->gr_gid == gid) { - if (size < len + nmem*sizeof(char *) + 32) { + if (size < len + (nmem+1)*sizeof(char *) + 32) { rv = ERANGE; break; } *res = gr; buf += (16-(uintptr_t)buf)%16; gr->gr_mem = (void *)buf; - buf += nmem*sizeof(char *); + buf += (nmem+1)*sizeof(char *); memcpy(buf, line, len); FIX(name); FIX(passwd);