[Pkg-shadow-devel] Bug#675824: shadow: possible segfault in useradd
Игорь Пашев
pashev.igor at gmail.com
Sun Jun 3 20:28:34 UTC 2012
2012/6/4 Nicolas François <nicolas.francois at centraliens.net>:
> Hello,
>
> On Sun, Jun 03, 2012 at 06:54:16PM +0400, pashev.igor at gmail.com wrote:
>>
>> Function __pw_dup() in lib/pwmem.c allocates uninitialized memory for struct
>> passwd and then fills some members of that struct, but other members (e. g.
>> pw_age) are still uninitialized. It can results in segfault in putpwent() which
>> tests for pw_age.
>
> lib/pwmem.c copies all members according to the getpwent(3) or putpwent(3)
> man pages or /usr/include/pwd.h (libc6-dev 2.13-32).
>
> I could not find a definition of struct passwd with a pw_age field.
>
> I could copy or initialize the complete structure in case there are
> redefinition of this structure with more fields, but it could be as
> harmful as not doing anything.
>
> Can you provide more details?
Here:
https://github.com/illumos/illumos-gate/blob/master/usr/src/head/pwd.h#L48
================= >8 ================
struct passwd {
char *pw_name;
char *pw_passwd;
uid_t pw_uid;
gid_t pw_gid;
char *pw_age;
char *pw_comment;
char *pw_gecos;
char *pw_dir;
char *pw_shell;
};
================= 8< ================
And here:
https://github.com/illumos/illumos-gate/blob/master/usr/src/lib/libc/port/gen/putpwent.c#L46
================= >8 ================
if (((p->pw_age) != NULL) && ((*p->pw_age) != '\0'))
(void) fprintf(f, ",%s", p->pw_age); /* fatal "," */
================= 8< ================
So it *is* possible, and I think it is safer to set the whole
structure to zero values.
More information about the Pkg-shadow-devel
mailing list