nss-systemd: fix off-by-one in nss_pack_group_record_shadow()

nss_count_strv() counts trailing NULL pointers in n. The pointer area
then used (n + 1), reserving one slot more than the size check
accounted for.

Drop the + 1 since n already includes the trailing NULLs, unlike the
non-shadow nss_pack_group_record() where n does not.

Fixes: https://github.com/systemd/systemd/issues/41591
(cherry picked from commit aa85a742fe5e0816312566a700599496e720246d)

diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c
index 1d5e311ce86530fcbafb910fe4636b7e00f7b65d..be99df00bf2cf8a6d285e9f8c93faa1748343624 100644 (file)
--- a/src/nss-systemd/userdb-glue.c
+++ b/src/nss-systemd/userdb-glue.c
@@ -472,7 +472,9 @@ int nss_pack_group_record_shadow(
 
         assert(buffer);
 
-        p = buffer + sizeof(void*) * (n + 1); /* place member strings right after the ptr array */
+        /* n already includes trailing NULL pointers from nss_count_strv(), unlike the
+         * non-shadow nss_pack_group_record() where n does not include them. */
+        p = buffer + sizeof(void*) * n;
         array = (char**) buffer; /* place ptr array at beginning of buffer, under assumption buffer is aligned */
 
         sgrp->sg_mem = array;