[Pkg-shadow-devel] [PATCH] userdel: do not use grp structure after removing it

Mike Frysinger vapier at gentoo.org
Fri Feb 24 23:01:34 UTC 2012 

The gr_remove() call will implicitly cause the memory backing the grp
structure to get freed, so attempting to use it later on (like we do
in the log messages) might hit memory corruption.  So create a copy
of the group name before we delete it so we can use it after wards in
logging/output.

URL: https://bugs.gentoo.org/405409
Reported-by: Yuri Mamaev <y.mamaev at gmail.com>
Signed-off-by: Mike Frysinger <vapier at gentoo.org>
---
 src/userdel.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/userdel.c b/src/userdel.c
index 63c107b..455ec4c 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -330,25 +330,32 @@ static void remove_usergroup (void)
 
 	if (NULL == pwd) {
 		/*
+		 * Create a copy of the name to display below since
+		 * removing the group will implicitly free the memory
+		 * that grp points to.
+		 */
+		char *gr_name = xstrdup (grp->gr_name);
+
+		/*
 		 * We can remove this group, it is not the primary
 		 * group of any remaining user.
 		 */
-		if (gr_remove (grp->gr_name) == 0) {
+		if (gr_remove (gr_name) == 0) {
 			fprintf (stderr,
 			         _("%s: cannot remove entry '%s' from %s\n"),
-			         Prog, grp->gr_name, gr_dbname ());
+			         Prog, gr_name, gr_dbname ());
 			fail_exit (E_GRP_UPDATE);
 		}
 
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_DEL_GROUP, Prog,
 		              "deleting group",
-		              grp->gr_name, AUDIT_NO_ID,
+		              gr_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 		SYSLOG ((LOG_INFO,
 		         "removed group '%s' owned by '%s'\n",
-		         grp->gr_name, user_name));
+		         gr_name, user_name));
 
 #ifdef	SHADOWGRP
 		if (sgr_locate (user_name) != NULL) {
@@ -361,15 +368,17 @@ static void remove_usergroup (void)
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_GROUP, Prog,
 			              "deleting shadow group",
-			              grp->gr_name, AUDIT_NO_ID,
+			              gr_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 			SYSLOG ((LOG_INFO,
 			         "removed shadow group '%s' owned by '%s'\n",
-			         grp->gr_name, user_name));
+			         gr_name, user_name));
 
 		}
 #endif				/* SHADOWGRP */
+
+		free (gr_name);
 	}
 }
 
-- 
1.7.8.4

More information about the Pkg-shadow-devel mailing list