lib/sgetgrent.c: sgetgrent(): Fix use-after-free bug

We were reusing a leftover from parsing a previous line if
(i == NFIELDS-1).  A few lines below this check, we use read the element
in [3] (that is, [NFIELDS-1]), without having written it in this call.

Be stricter, and require that all NFIELDS fields are found.

Fixes: 45c6603cc86c (2007-10-07, "[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Closes: <https://github.com/shadow-maint/shadow/issues/1144>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/lib/sgetgrent.c b/lib/sgetgrent.c
index b1202967e0de9e3918abad739e04c944cf8349f0..42b4efb7722f4bc2eccbc90449a3768ae36c0cdb 100644 (file)
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -89,7 +89,7 @@ struct group *sgetgrent (const char *buf)
        for (cp = grpbuf, i = 0; (i < NFIELDS) && (NULL != cp); i++)
                grpfields[i] = strsep(&cp, ":");
 
-       if (i < (NFIELDS - 1) || *grpfields[2] == '\0' || cp != NULL) {
+       if (i < NFIELDS || *grpfields[2] == '\0' || cp != NULL) {
                return NULL;
        }
        grent.gr_name = grpfields[0];