From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 24 Feb 2010 10:19:20 +0000 (+0100)
Subject: Bug #2818: Random unix_group crash at startup due to uninitialized pointer reference
X-Git-Tag: SQUID_3_2_0_1~407
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=056823c5758d1648690dd50745eef39dc10d92c2;p=thirdparty%2Fsquid.git

Bug #2818: Random unix_group crash at startup due to uninitialized pointer reference

The group array was not properly initialized.

This patch also removes the limitation of 10 groups.
---

diff --git a/helpers/external_acl/unix_group/check_group.c b/helpers/external_acl/unix_group/check_group.c
index f7d1c4bd36..e04dcb223c 100644
--- a/helpers/external_acl/unix_group/check_group.c
+++ b/helpers/external_acl/unix_group/check_group.c
@@ -29,6 +29,10 @@
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  *
  * Change Log:
+ * 2010-02-24 hno
+ * Removed group number limitation and fixed related uninitialized
+ * pointer reference (Bug #2813)
+ *
  * Revision 1.7  2004/08/15 00:29:33  hno
  * helper protocol changed to URL-escaped strings in Squid-3.0
  *
@@ -65,8 +69,6 @@
 #include <ctype.h>
 
 #define BUFSIZE 8192		/* the stdin buffer size */
-#define MAX_GROUP 10		/* maximum number of groups specified 
-* on the command line */
 
 /*
  * Verify if user´s primary group matches groupname
@@ -139,8 +141,8 @@ main(int argc, char *argv[])
 {
     char *user, *suser, *p;
     char buf[BUFSIZE];
-    char *grents[MAX_GROUP];
-    int check_pw = 0, ch, i = 0, j = 0, strip_dm = 0;
+    char **grents = NULL;
+    int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0;
 
     /* make standard output line buffered */
     setvbuf(stdout, NULL, _IOLBF, 0);
@@ -155,19 +157,11 @@ main(int argc, char *argv[])
             check_pw = 1;
             break;
         case 'g':
-            grents[i] = calloc(strlen(optarg) + 1, sizeof(char));
-            strcpy(grents[i], optarg);
-            if (i < MAX_GROUP) {
-                i++;
-            } else {
-                fprintf(stderr,
-                        "Exceeded maximum number of allowed groups (%i)\n", i);
-                exit(1);
-            }
+	    grents = realloc(grents, sizeof(*grents) * (ngroups+1));
+            grents[ngroups++] = optarg;
             break;
         case '?':
             if (xisprint(optopt)) {
-
                 fprintf(stderr, "Unknown option '-%c'.\n", optopt);
             } else {
                 fprintf(stderr, "Unknown option character `\\x%x'.\n", optopt);
@@ -211,13 +205,12 @@ main(int argc, char *argv[])
                 rfc1738_unescape(p);
                 if (check_pw == 1)
                     j += validate_user_pw(user, p);
-
                 j += validate_user_gr(user, p);
             }
         }
 
         /* check groups supplied on the command line */
-        for (i = 0; grents[i] != NULL; i++) {
+        for (i = 0; i < ngroups; i++) {
             if (check_pw == 1) {
                 j += validate_user_pw(user, grents[i]);
             }