From aa85a742fe5e0816312566a700599496e720246d Mon Sep 17 00:00:00 2001 From: Milan Kyselica Date: Sat, 11 Apr 2026 10:31:16 +0200 Subject: [PATCH] nss-systemd: fix off-by-one in nss_pack_group_record_shadow() nss_count_strv() counts trailing NULL pointers in n. The pointer area then used (n + 1), reserving one slot more than the size check accounted for. Drop the + 1 since n already includes the trailing NULLs, unlike the non-shadow nss_pack_group_record() where n does not. Fixes: https://github.com/systemd/systemd/issues/41591 --- src/nss-systemd/userdb-glue.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c index 6f1bf1e2af5..5bc89d5f9bb 100644 --- a/src/nss-systemd/userdb-glue.c +++ b/src/nss-systemd/userdb-glue.c @@ -475,7 +475,9 @@ int nss_pack_group_record_shadow( assert(buffer); - p = buffer + sizeof(void*) * (n + 1); /* place member strings right after the ptr array */ + /* n already includes trailing NULL pointers from nss_count_strv(), unlike the + * non-shadow nss_pack_group_record() where n does not include them. */ + p = buffer + sizeof(void*) * n; array = (char**) buffer; /* place ptr array at beginning of buffer, under assumption buffer is aligned */ sgrp->sg_mem = array; -- 2.47.3