From blank@sliphost37.uni-trier.de  Sat Apr  5 09:20:43 1997
Received: from sliphost37.uni-trier.de (blank@sliphost37.uni-trier.de [136.199.240.37])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA17435
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 5 Apr 1997 09:20:39 -0800 (PST)
Received: (from blank@localhost)
	by sliphost37.uni-trier.de (8.8.5/8.8.5) id TAA20407;
	Sat, 5 Apr 1997 19:17:37 +0200 (CEST)
Message-Id: <199704051717.TAA20407@sliphost37.uni-trier.de>
Date: Sat, 5 Apr 1997 19:17:37 +0200 (CEST)
From: blank@fox.uni-trier.de
Reply-To: blank@fox.uni-trier.de
To: FreeBSD-gnats-submit@freebsd.org
Subject: FreeBSD 2.2-STABLE: su seg-faults on invalid command line
X-Send-Pr-Version: 3.2

>Number:         3206
>Category:       bin
>Synopsis:       su seg-faults when being invoked with an invalid command line
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr  5 09:30:00 PST 1997
>Closed-Date:    Sat Aug 23 16:18:35 MEST 1997
>Last-Modified:  Sat Aug 23 16:18:56 MEST 1997
>Originator:     Sascha Blank
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
Computer Center of the University of Trier, Germany
>Environment:

FreeBSD 2.2-STABLE, current as of ctm-src-2.2 #0226

ident /usr/src/usr.bin/su/su.c says:

    $Id: su.c,v 1.14.2.1 1997/03/07 09:01:23 joerg Exp $

>Description:

Calling su with an invalid command line like this one

	su --

or this one

	su --m

makes su quit with a segmentation fault:

Apr  5 19:00:56 sliphost37 /kernel: pid 20268 (su), uid 0: exited on signal 11

>How-To-Repeat:

See above.

>Fix:

The reason for the fault is easy to find. The variable "user" is supposed
to hold the user name given on the command line (or "root" if none is
given). In case of an invalied argument like above "user" is set to NULL,
which will later make the "getpwnam(user)"-call fail.

My little diff below fixes this problem by explicitely checking if "user"
has been set to NULL. If so, it makes the program show "usage..." and
exit properly.


*** su.c.CURRENT	Sat Apr  5 18:55:03 1997
--- su.c	Sat Apr  5 19:06:21 1997
***************
*** 137,142 ****
--- 137,148 ----
  		break;
  	    }
  
+ 	if(user == NULL) {
+ 	    (void)fprintf(stderr, "usage: su [%s] [login]\n",
+ 		          ARGSTR);
+ 	    exit(1);
+ 	}
+ 
  	if((nargv = malloc (sizeof (char *) * (argc + 4))) == NULL) {
  	    errx(1, "malloc failure");
  	}

--
             Sascha Blank - mailto:blank@fox.uni-trier.de
  Student and System Administrator at the University of Trier, Germany
            Finger my account to receive my Public PGP key
   I don't speak for my employers, they don't pay me enough for that.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Sat Aug 23 16:18:35 MEST 1997 
State-Changed-Why:  

A similar fix applied in rev 1.22 of su.c.. 
>Unformatted:
