Hi, I know this will be the third commit to fix the overflow situation in getusershell if /etc/shells is malformed. Hopefully it will be the last adjustment.
I submitted a bug report to glibc devs after noticing that they use the same implementation like we do (more or less). Paul Pluzhnikov reviewed my diff and noticed that it can still overflow: >From https://sourceware.org/bugzilla/show_bug.cgi?id=18660 > It seems to me that even adding 2 * sizeof (char *) is insufficient: > if /etc/shells contains 10 two-byte lines "/\n", then "shells" will > point to an array of 20/3 + 2 == 8 pointers, and we'll try to write > 11 entries into it. So, let's reserve more memory. Or actually implement this code to only reserve as much as needed... Tobias Index: getusershell.c =================================================================== RCS file: /cvs/src/lib/libc/gen/getusershell.c,v retrieving revision 1.15 diff -u -p -r1.15 getusershell.c --- getusershell.c 6 Feb 2015 23:21:58 -0000 1.15 +++ getusershell.c 11 Aug 2015 17:33:58 -0000 @@ -110,7 +110,7 @@ initshells(void) (void)fclose(fp); return (okshells); } - shells = calloc((size_t)(statb.st_size / 3 + 2), sizeof (char *)); + shells = calloc((size_t)(statb.st_size / 2 + 2), sizeof (char *)); if (shells == NULL) { (void)fclose(fp); free(strings);
