cvtsudoers_make_gritem: fix off-by-one in gr_mem allocation

borats · millert · commit 38d909aa78e2 · 2026-03-21T08:52:01.000-05:00
cvtsudoers_make_gritem() allocates space for the gr_mem pointer array
using sizeof(char *) * nmem, where nmem is the number of filter users.
However, gr_mem is a conventional NULL-terminated array, and the NULL
terminator slot was never included in the allocation.  When
newgr-&gt;gr_mem[nmem] is subsequently written with NULL, it lands one
pointer past the end of the reserved pointer array, overwriting the
first bytes of the adjacent member-string data.  With few members and
short names the write can extend past the end of the allocation
entirely, corrupting adjacent heap memory.

Fix by incrementing nmem before computing the pointer-array size, so
that the NULL terminator slot is included in the allocation.  This
mirrors the pattern used in PREFIX(make_gritem) in pwutil_impl.c.
diff --git a/plugins/sudoers/cvtsudoers_pwutil.c b/plugins/sudoers/cvtsudoers_pwutil.c
@@ -230,6 +230,7 @@ cvtsudoers_make_gritem(gid_t gid, const char *name)
 	    total += strlen(s->str) + 1;
 	    nmem++;
 	}
+	nmem++;	/* include space for the NULL terminator */
 	total += sizeof(char *) * nmem;
     }
     if (name != NULL)

Original file line number	Diff line number	Diff line change
`@@ -230,6 +230,7 @@ cvtsudoers_make_gritem(gid_t gid, const char *name)`
`230`	`230`	`total += strlen(s->str) + 1;`
`231`	`231`	`nmem++;`
`232`	`232`	`}`
	`233`	`+ nmem++; /* include space for the NULL terminator */`
`233`	`234`	`total += sizeof(char ) nmem;`
`234`	`235`	`}`
`235`	`236`	`if (name != NULL)`