summary refs log tree commit diff
path: root/nscd/nscd_getgr_r.c
diff options
context:
space:
mode:
Diffstat (limited to 'nscd/nscd_getgr_r.c')
-rw-r--r--nscd/nscd_getgr_r.c29
1 files changed, 24 insertions, 5 deletions
diff --git a/nscd/nscd_getgr_r.c b/nscd/nscd_getgr_r.c
index 1b94bf584f..282912db3e 100644
--- a/nscd/nscd_getgr_r.c
+++ b/nscd/nscd_getgr_r.c
@@ -67,14 +67,18 @@ __nscd_getgrgid_r (gid_t gid, struct group *resultbuf, char *buffer,
 }
 
 
-libc_locked_map_ptr (map_handle);
+libc_locked_map_ptr (,__gr_map_handle);
 /* Note that we only free the structure if necessary.  The memory
    mapping is not removed since it is not visible to the malloc
    handling.  */
 libc_freeres_fn (gr_map_free)
 {
-  if (map_handle.mapped != NO_MAPPING)
-    free (map_handle.mapped);
+  if (__gr_map_handle.mapped != NO_MAPPING)
+    {
+      void *p = __gr_map_handle.mapped;
+      __gr_map_handle.mapped = NO_MAPPING;
+      free (p);
+    }
 }
 
 
@@ -91,7 +95,8 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
   /* If the mapping is available, try to search there instead of
      communicating with the nscd.  */
   struct mapped_database *mapped = __nscd_get_map_ref (GETFDGR, "group",
-						       &map_handle, &gc_cycle);
+						       &__gr_map_handle,
+						       &gc_cycle);
  retry:;
   const gr_response_header *gr_resp = NULL;
   const char *gr_name = NULL;
@@ -204,7 +209,8 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
       else
 	/* We already have the data.  Just copy the group name and
 	   password.  */
-	memcpy (resultbuf->gr_name, gr_name, gr_name_len);
+	memcpy (resultbuf->gr_name, gr_name,
+		gr_resp->gr_name_len + gr_resp->gr_passwd_len);
 
       /* Clear the terminating entry.  */
       resultbuf->gr_mem[gr_resp->gr_mem_cnt] = NULL;
@@ -242,6 +248,19 @@ nscd_getgr_r (const char *key, size_t keylen, request_type type,
 	  /* Copy the group member names.  */
 	  memcpy (resultbuf->gr_mem[0], gr_name + gr_name_len, total_len);
 
+	  /* Try to detect corrupt databases.  */
+	  if (resultbuf->gr_name[gr_name_len - 1] != '\0'
+	      || resultbuf->gr_passwd[gr_resp->gr_passwd_len - 1] != '\0'
+	      || ({for (cnt = 0; cnt < gr_resp->gr_mem_cnt; ++cnt)
+		     if (resultbuf->gr_mem[cnt][len[cnt] - 1] != '\0')
+		       break;
+	  	   cnt < gr_resp->gr_mem_cnt; }))
+	    {
+	      /* We cannot use the database.  */
+	      retval = -1;
+	      goto out_close;
+	    }
+
 	  *result = resultbuf;
 	}
     }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-14 22:45:35 +0000