In pw_userlock, set 'name' to NULL when we encounter an all number string

because it is also used as an indicator of whether a name or an UID is
being used and we may have undefined results as 'name' may contain
uninitialized stack contents.

MFC after:	2 weeks

diff --git a/pw/pw_user.c b/pw/pw_user.c
index 345f642a73d05547a2fb86aa718f6afa3c4c1444..5c168ab8d253fa12ac9c32c4562ab0e9d3af2e48 100644 (file)
--- a/pw/pw_user.c
+++ b/pw/pw_user.c
@@ -282,9 +282,10 @@ pw_userlock(char *arg1, int mode)
        if (arg1 == NULL)
                errx(EX_DATAERR, "username or id required");
 
-       if (arg1[strspn(arg1, "0123456789")] == '\0')
+       if (arg1[strspn(arg1, "0123456789")] == '\0') {
                id = pw_checkid(arg1, UID_MAX);
-       else
+               name = NULL;
+       } else
                name = arg1;
 
        pwd = (name != NULL) ? GETPWNAM(pw_checkname(name, 0)) : GETPWUID(id);