From: Alejandro Colomar <alx@kernel.org>
Date: Fri, 6 Dec 2024 23:07:27 +0000 (+0100)
Subject: lib/sgetgrent.c: sgetgrent(): Fix use-after-free bug
X-Git-Tag: 4.17.0~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8424d7c49462a6587c773f9b08c1867d7750f5ec;p=thirdparty%2Fshadow.git

lib/sgetgrent.c: sgetgrent(): Fix use-after-free bug

We were reusing a leftover from parsing a previous line if
(i == NFIELDS-1).  A few lines below this check, we use read the element
in [3] (that is, [NFIELDS-1]), without having written it in this call.

Be stricter, and require that all NFIELDS fields are found.

Fixes: 45c6603cc86c (2007-10-07, "[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Closes: <https://github.com/shadow-maint/shadow/issues/1144>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/lib/sgetgrent.c b/lib/sgetgrent.c
index b1202967e..42b4efb77 100644
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -89,7 +89,7 @@ struct group *sgetgrent (const char *buf)
 	for (cp = grpbuf, i = 0; (i < NFIELDS) && (NULL != cp); i++)
 		grpfields[i] = strsep(&cp, ":");
 
-	if (i < (NFIELDS - 1) || *grpfields[2] == '\0' || cp != NULL) {
+	if (i < NFIELDS || *grpfields[2] == '\0' || cp != NULL) {
 		return NULL;
 	}
 	grent.gr_name = grpfields[0];