BUG/MINOR: config/userlist: Support one 'users' option for 'group' directive

When a group is defined in a userlist section, only one 'users' option is
expected. But it was not tested. Thus it was possible to set several options
leading to a memory leak.

It is now tested, and it is not allowed to redefine the users option.

It was reported by Coverity in #2841: CID 1587771.

This patch could be backported to all stable versions.

diff --git a/src/cfgparse.c b/src/cfgparse.c
index c2d0ca5c358be6f22b2a474c0b008ed822ceb838..216c8dcfebd2e67e063e3e04c58ecdde6c975e43 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1407,6 +1407,15 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)
 
                while (*args[cur_arg]) {
                        if (strcmp(args[cur_arg], "users") == 0) {
+                               if (ag->groupusers) {
+                                       ha_alert("parsing [%s:%d]: 'users' option already defined in '%s' name '%s'.\n",
+                                                file, linenum, args[0], args[1]);
+                                       err_code |= ERR_ALERT | ERR_FATAL;
+                                       free(ag->groupusers);
+                                       free(ag->name);
+                                       free(ag);
+                                       goto out;
+                               }
                                ag->groupusers = strdup(args[cur_arg + 1]);
                                cur_arg += 2;
                                continue;