svn commit: r318304 - head/lib/libc/gen

[Ed Maste]

Author: emaste
Date: Mon May 15 17:57:09 2017
New Revision: 318304
URL: https://svnweb.freebsd.org/changeset/base/318304

Log:
  getusershell: don't write past end of line buffer reading local shells
  
  _local_initshells did not reset cp to the beginning of the line buffer
  for every iteration that it called fgets(3), leading to writing past the
  end of line with fairly long /etc/shells or excessively long line
  lengths. Correct this by properly resetting cp.
  
  PR:		192528
  Submitted by:	Kyle Evans <kevans91 at ksu.edu>
  Reviewed by:	cem, jilles
  Differential Revision:	https://reviews.freebsd.org/D10690

Modified:
  head/lib/libc/gen/getusershell.c

Modified: head/lib/libc/gen/getusershell.c
==============================================================================
--- head/lib/libc/gen/getusershell.c	Mon May 15 17:54:36 2017	(r318303)
+++ head/lib/libc/gen/getusershell.c	Mon May 15 17:57:09 2017	(r318304)
@@ -115,8 +115,8 @@ _local_initshells(void	*rv, void *cb_dat
 	if ((fp = fopen(_PATH_SHELLS, "re")) == NULL)
 		return NS_UNAVAIL;
 
-	cp = line;
-	while (fgets(cp, MAXPATHLEN + 1, fp) != NULL) {
+	while (fgets(line, MAXPATHLEN + 1, fp) != NULL) {
+		cp = line;
 		while (*cp != '#' && *cp != '/' && *cp != '\0')
 			cp++;
 		if (*cp == '#' || *cp == '\0')
@@ -124,7 +124,7 @@ _local_initshells(void	*rv, void *cb_dat
 		sp = cp;
 		while (!isspace(*cp) && *cp != '#' && *cp != '\0')
 			cp++;
-		*cp++ = '\0';
+		*cp = '\0';
 		sl_add(sl, strdup(sp));
 	}
 	(void)fclose(fp);