These functions (e.g., gr_free()), explicitly dereference the pointer
and read the pointee.
The /@out@/ comment, which is (almost) analogous to the
[[gnu::access(write_only, ...)]] attribute, means that the pointee can
be uninitialized, since it won't read it. There's a difference between
/@out@/ and the GCC attribute: the attribute doesn't require that the
call writes to the pointee, while /@out@/ requires that the pointee be
fully initialized after the call, so it _must_ write to it.
A guess of why it was used is that these functions are similar to
free(3), which does not read the memory it frees, and so one would
assume that if it doesn't read, write_only (or equivalents) are good.
That's wrong in several ways:
- free(3) does not read _nor_ write to the memory, so it would
be slightly inappropriate to use write_only with it. It wouldn't be
"wrong", but [[gnu::access(none, ...)]] would be more appropriate.
- Because /@out@/ requires that the call writes to the pointee, it
would be wrong to use it in free(3), which doesn't write to the
pointee.
- Our functions are similar to free(3) conceptually, but they don't
behave like free(3), since they do read the memory (pointee) (and
also write to it), and thus they're actually read_write.
Link: <https://splint.org/manual/manual.html#undefined>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Use of these macros, apart from the benefits mentioned in the commit
that adds the macros, has some other good side effects:
- Consistency in getting the size of the object from sizeof(type),
instead of a mix of sizeof(type) sometimes and sizeof(*p) other
times.
- More readable code: no casts, and no sizeof(), so also shorter lines
that we don't need to cut.
- Consistency in using array allocation calls for allocations of arrays
of objects, even when the object size is 1.
Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Add an additional NULL check condition in spw_free() and pw_free() to
avoid freeing an already empty pointer.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* lib/groupmem.c (__gr_dup): Support libc which define other
fields in struct group.
* lib/pwmem.c: Likewise for struct passwd.
* lib/shadowmem.c: Likewise for struct spwd.
* lib/sgroupio.c: Apply same logic, even if this structure is
defined internally.
spwd. (start with the primitive types)
* lib/shadowmem.c: Avoid memzero() on a possibly NULL pointer.
* lib/groupmem.c: Only copy the required fields of the struct
group. (start with the primitive types)
* lib/groupmem.c: Avoid memzero() on a possibly NULL pointer.
* lib/groupmem.c: Free gr_mem in addition to its elements.
* lib/sgroupio.c: The struct sgrp has no primitive types to be
copied initially.
* lib/sgroupio.c: Avoid memzero() on a possibly NULL pointer.
* lib/sgroupio.c: Free sg_mem and sg_add in addition to their
elements.
* lib/pwmem.c: Only copy the required fields of the struct
passwd. (start with the primitive types)
* lib/shadowio.c: Use spw_free() for shadow_free().
* lib/groupmem.c: Added gr_free().
* lib/groupio.c: Use gr_free() for group_free().
* lib/pwmem.c: Include define.h before prototypes.h
* lib/pwmem.c: Added pw_free().
* lib/pwio.c: Use pw_free() for passwd_free().
* lib/sgroupio.c: Added sgr_free().
* lib/sgroupio.c: Use sgr_free() for gshadow_free().
* lib/prototypes.h: Added gr_free(), pw_free(), sgr_free(),
spw_free().
Files with no license use the default 3-clauses BSD license. The copyright
were mostly not recorded; they were updated according to the Changelog.
"Julianne Frances Haugh and contributors" changed to "copyright holders
and contributors".
and "pwauth.h" only when compiled without PAM support.
* src/chfn.c, src/chsh.c: Do not include <shadow.h>
* lib/commonio.c: Do not include <shadow.h>. Do not include
<pwd.h>. Include "nscd.h" instead of <nscd.h>.
* configure.in: Do not check if shadow.h exist, but make sure it
exists.
* libmisc/pwdcheck.c, src/chfn.c, src/chsh.c, lib/defines.h,
lib/shadowmem.c, lib/shadowio.c, lib/commonio.c:
HAVE_SHADOW_H is no more needed (shadow.h should always exist).
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
