GUIs from user's input, passwd DB becomes inconsistent

Eitan Adler Fri, 30 Nov 2012 15:25:47 -0800

On 28 November 2012 13:41, Nikos Vassiliadis <nv...@gmx.com> wrote:

> Index: usr.sbin/pw/pw_group.c
> ===================================================================
> --- usr.sbin/pw/pw_group.c      (revision 243652)
> +++ usr.sbin/pw/pw_group.c      (working copy)
> @@ -350,6 +350,8 @@
>          */
>         if (a_gid != NULL) {
>                 gid = (gid_t) atol(a_gid->val);


atoi overflow is considered undefined behavior so the error can not be
meaningfully be checked. In particular the compiler may assume the
error will never occur and elide the check.  Ideally this call is
replaced with one of the stro* functions.

> +               if (errno == ERANGE || errno == EINVAL)
> +                       errx(EX_DATAERR, "gid %s is invalid", a_gid->val);



-- 
Eitan Adler
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Re: bin/173977: pw(8) does not do range-checking on UIDs/GUIs from user's input, passwd DB becomes inconsistent

Reply via email to