From 460a14f4c167f92ba6c42a33854a8a5bc5504797 Mon Sep 17 00:00:00 2001 From: Eitan Adler Date: Wed, 5 Dec 2012 13:56:46 +0000 Subject: Avoid overflow of file buffer Submitted by: db Approved by: cperciva MFC after: 2 weeks --- pw/pw_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index abf1c35..23a7856 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -394,7 +394,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) /* * Remove crontabs */ - sprintf(file, "/var/cron/tabs/%s", pwd->pw_name); + snprintf(file, sizeof(file), "/var/cron/tabs/%s", pwd->pw_name); if (access(file, F_OK) == 0) { sprintf(file, "crontab -u %s -r", pwd->pw_name); system(file); -- cgit v1.2.3-56-ge451 From 228ea4032d5eee849fa8b83e5e136b3edd92e29f Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Wed, 26 Dec 2012 18:14:45 +0000 Subject: Fix creating a user and adding it to a group Reported by: "Sam Fourman Jr." , dim --- pw/pw_user.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 23a7856..7df6b85 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -747,6 +747,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) if (mode == M_ADD || getarg(args, 'G') != NULL) { int i, j; for (i = 0; cnf->groups[i] != NULL; i++) { + char **members; grp = GETGRNAM(cnf->groups[i]); for (j = 0; grp->gr_mem[j] != NULL; j++) { if (!strcmp(grp->gr_mem[j], pwd->pw_name)) @@ -755,15 +756,15 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) if (grp->gr_mem[j] != NULL) /* user already member of group */ continue; - if (j == 0) - grp->gr_mem = NULL; + members = malloc(sizeof(char *) * (j + 1)); + for (j = 0; grp->gr_mem[j] != NULL; j++) + members[j] = grp->gr_mem[j]; - grp->gr_mem = reallocf(grp->gr_mem, sizeof(*grp->gr_mem) * - (j + 2)); - - grp->gr_mem[j] = pwd->pw_name; - grp->gr_mem[j+1] = NULL; + members[j] = pwd->pw_name; + members[j+1] = NULL; + grp->gr_mem = members; chggrent(cnf->groups[i], grp); + free(members); } } -- cgit v1.2.3-56-ge451 From f5a04a9f49ff5a1dd493c135efbf0e9dde2c97d1 Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Wed, 26 Dec 2012 23:14:33 +0000 Subject: Fix off-by-one error in memory allocation: j entries, one new and a null terminator is j + 2. Submitted by: Christoph Mallon --- pw/pw_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 7df6b85..43119ed 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -756,7 +756,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) if (grp->gr_mem[j] != NULL) /* user already member of group */ continue; - members = malloc(sizeof(char *) * (j + 1)); + members = malloc(sizeof(char *) * (j + 2)); for (j = 0; grp->gr_mem[j] != NULL; j++) members[j] = grp->gr_mem[j]; -- cgit v1.2.3-56-ge451 From e02eb3b3d39827fc7edf6c88e3cbb481427b6484 Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Wed, 26 Dec 2012 23:16:24 +0000 Subject: Simplify copying of group members by using memcpy Submitted by: Christoph Mallon --- pw/pw_user.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 43119ed..74c1ef9 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -757,8 +757,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) continue; members = malloc(sizeof(char *) * (j + 2)); - for (j = 0; grp->gr_mem[j] != NULL; j++) - members[j] = grp->gr_mem[j]; + memcpy(members, grp->gr_mem, j * sizeof(*members)); members[j] = pwd->pw_name; members[j+1] = NULL; -- cgit v1.2.3-56-ge451 From 6103660c3f4ffd28a0aa58ac0ba88bfb081708cf Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Thu, 27 Dec 2012 14:35:06 +0000 Subject: Simplify the code by using the new gr_add function --- pw/pw_user.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 74c1ef9..5577511 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -745,25 +745,19 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) */ if (mode == M_ADD || getarg(args, 'G') != NULL) { - int i, j; + int i; for (i = 0; cnf->groups[i] != NULL; i++) { - char **members; grp = GETGRNAM(cnf->groups[i]); - for (j = 0; grp->gr_mem[j] != NULL; j++) { - if (!strcmp(grp->gr_mem[j], pwd->pw_name)) - break; - } - if (grp->gr_mem[j] != NULL) /* user already member of group */ + grp = gr_add(grp, pwd->pw_name); + /* + * grp can only be NULL in 2 cases: + * - the new member is already a member + * - a problem with memory occurs + * in both cases we want to skip now. + */ + if (grp == NULL) continue; - - members = malloc(sizeof(char *) * (j + 2)); - memcpy(members, grp->gr_mem, j * sizeof(*members)); - - members[j] = pwd->pw_name; - members[j+1] = NULL; - grp->gr_mem = members; chggrent(cnf->groups[i], grp); - free(members); } } -- cgit v1.2.3-56-ge451 From dacca6ad00356bc4cd45aa4bca857ebe95cba244 Mon Sep 17 00:00:00 2001 From: Mateusz Guzik Date: Sun, 6 Jan 2013 21:56:58 +0000 Subject: pw: free group returned by gr_add --- pw/pw_user.c | 1 + 1 file changed, 1 insertion(+) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 5577511..38f21ce 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -758,6 +758,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) if (grp == NULL) continue; chggrent(cnf->groups[i], grp); + free(grp); } } -- cgit v1.2.3-56-ge451 From cbfb9c649bd7eecce96516a347e4bab7c5b2cb52 Mon Sep 17 00:00:00 2001 From: Daniel Eischen Date: Fri, 1 Feb 2013 05:19:49 +0000 Subject: Prevent a null pointer dereference in pw userdel when deleting a user whose group != username. --- pw/pw_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 38f21ce..5f4d7a9 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -425,7 +425,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) } grp = GETGRNAM(a_name->val); - if (*grp->gr_mem == NULL) + if (grp != NULL && *grp->gr_mem == NULL) delgrent(GETGRNAM(a_name->val)); SETGRENT(); while ((grp = GETGRENT()) != NULL) { -- cgit v1.2.3-56-ge451