git.ipfire.org Git - thirdparty/shadow.git/commit

author	frostb1te <frostb1te@bugcrowdninja.com>
	Fri, 8 Nov 2024 11:00:24 +0000 (05:00 -0600)
committer	Alejandro Colomar <alx@kernel.org>
	Fri, 8 Nov 2024 12:42:23 +0000 (13:42 +0100)
commit	73e58adc6b80c7a83d92ec9cf95ffe98db87d367
tree	7928669ea94d079954003629bc360592f0636967	tree
parent	a0771fc01af573416cdb4a0fa5e52433a22921e2	commit \| diff

src/gpasswd.c: is_valid_user_list(): Fix invalid free(3)

This fix addresses an issue in is_valid_user_list() where the free
operation was attempted on an address not allocated with malloc().  By
duplicating the pointer with xstrdup(users) into dup, and using dup as
the original pointer, we ensure that only the valid pointer is freed,
avoiding an invalid free operation.

This bug was introduced when changing some code that used strchrnul(3)
to use strsep(3) instead.  strsep(3) advances the pointer, unlike the
previous code.

This unconditionally leads to a bug:

-  Passing NULL to free(3), if the last field in the
   colon-separated-value list is non-empty.  This results in a memory
   leak.

-  Passing a pointer to the null byte ('\0') that terminates the string,
   if the last element of the colon-separated-value list is empty.  The
   most obvious reproducer of such a bogus free(3) call is:

       free(strdup("foo:") + 4);

   This results in Undefined Behavior, and could result in allocator
   data corruption.

Fixes: 16cb66486554 (2024-07-01, "lib/, src/: Use strsep(3) instead of its pattern")
Suggested-by: <https://github.com/frostb1ten>
Reported-by: <https://github.com/frostb1ten>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>