From 43bd9ae540a87d23904b6c34cad0a6541739e3b1 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 12 Jul 2015 15:56:51 +0200
Subject: [PATCH] Fix overflow in getusershell

The function initshells is prone to a buffer overflow in two cases:

1) if /etc/shells is empty, 0 bytes of memory for "shells" will be
   reserved, but value NULL written into it.
2) if /etc/shells contains only 2 bytes, or generally entries which are
   that small, the calculation "st_size / 3" will round down due to
   integer precision. two values will be written into 0 bytes allocated
   are.

This fix has been applied in OpenBSD.
---
 misc/getusershell.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/getusershell.c b/misc/getusershell.c
index fc2c43b..a23fb85 100644
--- a/misc/getusershell.c
+++ b/misc/getusershell.c
@@ -119,7 +119,7 @@ initshells (void)
 	flen = statb.st_size + 3;
 	if ((strings = malloc(flen)) == NULL)
 		goto init_okshells;
-	shells = malloc(statb.st_size / 3 * sizeof (char *));
+	shells = malloc((statb.st_size / 2 + 2) * sizeof (char *));
 	if (shells == NULL) {
 		free(strings);
 		strings = NULL;
-- 
2.4.5
