Author: emaste Date: Mon May 15 17:57:09 2017 New Revision: 318304 URL: https://svnweb.freebsd.org/changeset/base/318304
Log: getusershell: don't write past end of line buffer reading local shells _local_initshells did not reset cp to the beginning of the line buffer for every iteration that it called fgets(3), leading to writing past the end of line with fairly long /etc/shells or excessively long line lengths. Correct this by properly resetting cp. PR: 192528 Submitted by: Kyle Evans <kevan...@ksu.edu> Reviewed by: cem, jilles Differential Revision: https://reviews.freebsd.org/D10690 Modified: head/lib/libc/gen/getusershell.c Modified: head/lib/libc/gen/getusershell.c ============================================================================== --- head/lib/libc/gen/getusershell.c Mon May 15 17:54:36 2017 (r318303) +++ head/lib/libc/gen/getusershell.c Mon May 15 17:57:09 2017 (r318304) @@ -115,8 +115,8 @@ _local_initshells(void *rv, void *cb_dat if ((fp = fopen(_PATH_SHELLS, "re")) == NULL) return NS_UNAVAIL; - cp = line; - while (fgets(cp, MAXPATHLEN + 1, fp) != NULL) { + while (fgets(line, MAXPATHLEN + 1, fp) != NULL) { + cp = line; while (*cp != '#' && *cp != '/' && *cp != '\0') cp++; if (*cp == '#' || *cp == '\0') @@ -124,7 +124,7 @@ _local_initshells(void *rv, void *cb_dat sp = cp; while (!isspace(*cp) && *cp != '#' && *cp != '\0') cp++; - *cp++ = '\0'; + *cp = '\0'; sl_add(sl, strdup(sp)); } (void)fclose(fp); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
