From: Alejandro Colomar Date: Tue, 2 Jul 2024 12:51:04 +0000 (+0200) Subject: lib/port.c: getportent(): Make sure the aren't too many fields in the CSV X-Git-Tag: 4.17.0-rc1~137 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a198054456728ae3ea8565e11e636c759616ef9c;p=thirdparty%2Fshadow.git lib/port.c: getportent(): Make sure the aren't too many fields in the CSV Otherwise, the line is invalidly formatted, and we ignore it. Detailed explanation: There are two conditions on which we break out of the loops that precede these added checks: - j is too big (we've exhausted the space in the static arrays) $ grep -r -e PORT_TTY -e PORT_IDS lib/port.* lib/port.c: static char *ttys[PORT_TTY + 1]; /* some pointers to tty names */ lib/port.c: static char *users[PORT_IDS + 1]; /* some pointers to user ids */ lib/port.c: for (cp = buf, j = 0; j < PORT_TTY; j++) { lib/port.c: if ((',' == *cp) && (j < PORT_IDS)) { lib/port.h: * PORT_IDS - Allowable number of IDs per entry. lib/port.h: * PORT_TTY - Allowable number of TTYs per entry. lib/port.h:#define PORT_IDS 64 lib/port.h:#define PORT_TTY 64 - strpbrk(3) found a ':', which signals the end of the comma-sepatated list, and the start of the next colon-separated field. If the first character in the remainder of the string is not a ':', it means we've exhausted the array size, but the CSV list was longer, so we'd be truncating it. Consider the entire line invalid, and skip it. Signed-off-by: Alejandro Colomar --- diff --git a/lib/port.c b/lib/port.c index cac4ba44f..32bb08025 100644 --- a/lib/port.c +++ b/lib/port.c @@ -159,6 +159,9 @@ next: if (',' == *cp) /* end of current tty name */ stpcpy(cp++, ""); } + if (':' != *cp) + goto next; + stpcpy(cp++, ""); port.pt_names[j] = NULL; @@ -187,10 +190,8 @@ next: } else { port.pt_users = 0; } - - if (':' != *cp) { + if (':' != *cp) goto next; - } stpcpy(cp++, "");