mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Make sure we don't read or write past the end of the group buffer.

Browse Source 
We need to leave room for the terminating NULL in gr_mem.
It is possible for gbm->numgids > gbm->maxgids if we ran out of room.
This commit is contained in:
Todd C. Miller 2021-06-07 13:08:10 -06:00
parent 4b73c98c06
commit 3104d8ba0b
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/util/getgrouplist.c
View File

@ -270,9 +270,9 @@ str2grp(const char *instr, int inlen, void *ent, char *buf, int buflen)
grp->gr_mem = NULL;
if (*fieldsep != '\0') {
grp->gr_mem = gr_mem = (char **)ALIGN(buf + inlen + 1);
gr_end = (char **)((unsigned long)(buf + buflen) & ~ALIGNBYTES);
gr_end = (char **)((unsigned long)(buf + buflen) & ~ALIGNBYTES) - 1;
for (;;) {
if (gr_mem == gr_end)
if (gr_mem >= gr_end)
debug_return_int(NSS_STR_PARSE_ERANGE); /* out of space! */
*gr_mem++ = cp;
if (fieldsep == NULL)
@ -311,13 +311,15 @@ process_cstr(const char *instr, int inlen, struct nss_groupsbymem *gbm,
/* Parse groups file string -> struct group. */
grp = buf->result;
error = (*gbm->str2ent)(instr, inlen, grp, buf->buffer, buf->buflen);
if (error || grp->gr_mem == NULL)
if (error != NSS_STR_PARSE_SUCCESS || grp->gr_mem == NULL)
goto done;
for (gr_mem = grp->gr_mem; *gr_mem != NULL; gr_mem++) {
if (strcmp(*gr_mem, user) == 0) {
const int numgids = MIN(gbm->numgids, gbm->maxgids);
/* Append to gid_array unless gr_gid is a dupe. */
for (i = 0; i < gbm->numgids; i++) {
for (i = 0; i < numgids; i++) {
if (gbm->gid_array[i] == grp->gr_gid)
goto done; /* already present */
}