From 1e65eb8f9b7d567462030b2e625998d77677e636 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 31 Dec 2021 00:31:51 +0900
Subject: nss-systemd: fix required buffer size calculation

This also fixes the pointer assigned to the gr_mem element of struct group.

Fixes a bug introduced by 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534.

Fixes #21935.
---
 src/nss-systemd/nss-systemd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
index 1840a0d508..7aea3652c4 100644
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@@ -236,7 +236,7 @@ static enum nss_status copy_synthesized_group(
 
         required = strlen(src->gr_name) + 1;
         required += strlen(src->gr_passwd) + 1;
-        required += 1; /* ...but that NULL still needs to be stored into the buffer! */
+        required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */
 
         if (buflen < required) {
                 *errnop = ERANGE;
@@ -250,7 +250,7 @@ static enum nss_status copy_synthesized_group(
         /* String fields point into the user-provided buffer */
         dest->gr_name = buffer;
         dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1;
-        dest->gr_mem = (char **) strcpy(dest->gr_passwd, src->gr_passwd) + 1;
+        dest->gr_mem = (char **) stpcpy(dest->gr_passwd, src->gr_passwd) + 1;
         *dest->gr_mem = NULL;
 
         return NSS_STATUS_SUCCESS;
-- 
cgit v1.2.1