mirrors/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity.git synced 2025-01-25 19:02:07 -05:00
Code Issues Projects Releases Packages Wiki Activity

LibC: Prefer strlcpy over strcpy in getgrent(), fix overflow

Browse source 
An overlong group name in /etc/groups would have caused getgrent() to overflow
the global __grdb_entry. Curiously, overflow *within* __grdb_entry seems to have
no detrimental effects.

However, it was possible for a malicious sysadmin(?!) to craft an /etc/group
that overflows outside of the page allocated for __grdb_entry thus crash the
calling process. This affected at least SystemServer and su.

Now, the group name will be simply truncated. For display purposes, this is
fine. In case there is an exceptionally long group, it will not be properly
recognized. Also, a malicious /etc/groups might cause the caller of getgrent()
to become confused, but that is unavoidable.
This commit is contained in:
Ben Wiederhake 2020-08-23 15:55:49 +02:00 committed by Andreas Kling
parent 9785173dec
commit aa36e9917c
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Libraries/LibC/grp.cpp
View file

@ -135,12 +135,12 @@ next_entry:
__grdb_entry->gr_passwd = __grdb_entry->passwd_buffer;
for (size_t i = 0; i < members.size(); ++i) {
__grdb_entry->members[i] = __grdb_entry->members_buffer[i];
strcpy(__grdb_entry->members_buffer[i], members[i].characters());
strlcpy(__grdb_entry->members_buffer[i], members[i].characters(), sizeof(__grdb_entry->members_buffer[i]));
}
__grdb_entry->members[members.size()] = nullptr;
__grdb_entry->gr_mem = __grdb_entry->members;
strncpy(__grdb_entry->name_buffer, e_name.characters(), GRDB_STR_MAX_LEN - 1);
strncpy(__grdb_entry->passwd_buffer, e_passwd.characters(), GRDB_STR_MAX_LEN - 1);
strlcpy(__grdb_entry->name_buffer, e_name.characters(), GRDB_STR_MAX_LEN);
strlcpy(__grdb_entry->passwd_buffer, e_passwd.characters(), GRDB_STR_MAX_LEN);
return __grdb_entry;
}