Files
shadow/lib/sgetgrent.c
T
Samanta Navarro 1c6a1206bd lib/sgetgrent.c: fix null pointer dereference
If reallocation fails in function list, then reset the size to 0 again.
Without the reset, the next call assumes that `members` points to
a memory location with reserved space.

Also use size_t instead of int for size to prevent signed integer
overflows. The length of group lines is not limited.

Fixes 45c0003e53 (4.14 release series)

Proof of Concept:

-  Prepare a group file (one long group line and a shorter one, both with a list of users)

	$ echo -n "root:x:0:" > /tmp/uwu
	$ yes , | tr -d '\n' | dd of=/tmp/uwu bs=10 count=3145728 seek=1 conv=notrunc iflag=fullblock
	$ echo -e "\nbin:x:1:," >> /tmp/uwu

-  Run grpck with tight memory constraints

	$ ulimit -d 102400
	$ grpck /tmp/uwu
	Segmentation fault (core dumped)

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Cherry-picked-from: a9e07c0feb ("lib/sgetgrent.c: fix null pointer dereference")
Link: <https://github.com/shadow-maint/shadow/pull/904>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2024-01-16 00:00:43 +01:00

2.5 KiB