From d7268f1e76677b28d0ebecae94276c34bc8cba54 Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Thu, 29 Oct 2015 18:29:28 +0000 Subject: Fix unlikely memory leak. It is unlikely since the first check in the function is that dir[0] is '/', but later code changes may make it real. Coverity CID: 1332104 --- pw/pw_user.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 1af8f81..345f642 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -107,8 +107,10 @@ mkdir_home_parents(int dfd, const char *dir) errx(EX_UNAVAILABLE, "out of memory"); tmp = strrchr(dirs, '/'); - if (tmp == NULL) + if (tmp == NULL) { + free(dirs); return; + } tmp[0] = '\0'; /* -- cgit v1.2.3 From 53d5541556909952101aae809c6d30717ab497d0 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Fri, 30 Oct 2015 00:46:52 +0000 Subject: In pw_userlock, set 'name' to NULL when we encounter an all number string because it is also used as an indicator of whether a name or an UID is being used and we may have undefined results as 'name' may contain uninitialized stack contents. MFC after: 2 weeks --- pw/pw_user.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 345f642..5c168ab 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -282,9 +282,10 @@ pw_userlock(char *arg1, int mode) if (arg1 == NULL) errx(EX_DATAERR, "username or id required"); - if (arg1[strspn(arg1, "0123456789")] == '\0') + if (arg1[strspn(arg1, "0123456789")] == '\0') { id = pw_checkid(arg1, UID_MAX); - else + name = NULL; + } else name = arg1; pwd = (name != NULL) ? GETPWNAM(pw_checkname(name, 0)) : GETPWUID(id); -- cgit v1.2.3 From 42c74a30927e0f5a7c28809ed3df548911bf17a1 Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Wed, 2 Dec 2015 22:01:37 +0000 Subject: Fix handling of numeric-only names with pw lock Add a regression test about it PR: 204968 MFC after: 1 week --- pw/pw_user.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 5c168ab..61c2440 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -274,7 +274,7 @@ pw_userlock(char *arg1, int mode) char *passtmp = NULL; char *name; bool locked = false; - uid_t id; + uid_t id = (uid_t)-1; if (geteuid() != 0) errx(EX_NOPERM, "you must be root"); @@ -282,16 +282,19 @@ pw_userlock(char *arg1, int mode) if (arg1 == NULL) errx(EX_DATAERR, "username or id required"); - if (arg1[strspn(arg1, "0123456789")] == '\0') { - id = pw_checkid(arg1, UID_MAX); - name = NULL; - } else - name = arg1; + name = arg1; + if (arg1[strspn(name, "0123456789")] == '\0') + id = pw_checkid(name, UID_MAX); - pwd = (name != NULL) ? GETPWNAM(pw_checkname(name, 0)) : GETPWUID(id); + pwd = GETPWNAM(pw_checkname(name, 0)); + if (pwd == NULL && id != (uid_t)-1) { + pwd = GETPWUID(id); + if (pwd != NULL) + name = pwd->pw_name; + } if (pwd == NULL) { - if (name == NULL) - errx(EX_NOUSER, "no such uid `%ju'", (uintmax_t) id); + if (id == (uid_t)-1) + errx(EX_NOUSER, "no such name or uid `%ju'", (uintmax_t) id); errx(EX_NOUSER, "no such user `%s'", name); } -- cgit v1.2.3 From 37f903568b33e005010ceea4921219edbe23ba39 Mon Sep 17 00:00:00 2001 From: Baptiste Daroussin Date: Wed, 2 Dec 2015 22:35:25 +0000 Subject: pw_checkname since the beginning if too strict on GECOS field, relax it a bit so gecos can be used to store multibytes data. This was unseen before FreeBSD 10.2 as this validation function was motly unused since FreeBSD 10.2 the usage of this function has been generalized to improve validation. Reported by: des MFC after: 1 week --- pw/pw_user.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'pw/pw_user.c') diff --git a/pw/pw_user.c b/pw/pw_user.c index 61c2440..30a2749 100644 --- a/pw/pw_user.c +++ b/pw/pw_user.c @@ -642,7 +642,8 @@ pw_checkname(char *name, int gecos) } if (!reject) { while (*ch) { - if (strchr(badchars, *ch) != NULL || *ch < ' ' || + if (strchr(badchars, *ch) != NULL || + (!gecos && *ch < ' ') || *ch == 127) { reject = 1; break; -- cgit v1.2.3