Use of vulnerable function 'getpwuid' getpwuid makes no guaranteee of thread safety...

Change-Id: I47cc2148257c75612dd402bd33aa9a5311be344b

diff --git a/src/common/media-common-utils.c b/src/common/media-common-utils.c
index 5462a75..15f19b0 100755 (executable)
--- a/src/common/media-common-utils.c
+++ b/src/common/media-common-utils.c
@@ -569,38 +569,72 @@ char* ms_get_path(uid_t uid)
 {
        int len = 0;
        char *result_passwd = NULL;
-       struct group *grpinfo = NULL;
-       if (uid == getuid()) {
-               grpinfo = getgrnam("users");
-               if (grpinfo == NULL) {
-                       MS_DBG_ERR("getgrnam(users) returns NULL !");
-                       return NULL;
-               }
+       int ret = -1;
+       char* grpbuf;
+       struct group grpinfo;
+       struct group* grpresult = NULL;
+       size_t grpbufsize;
+
+       grpbufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
+       if (grpbufsize == -1)           /* Value was indeterminate */
+               grpbufsize = 16384;             /* Should be more than enough (16*1024) */
+
+       grpbuf = malloc(grpbufsize);
+       if (grpbuf == NULL) {
+               MS_DBG_ERR("malloc grpbuf grpbufsize[%d] failed", grpbufsize);
+               return NULL;
+       }
+
+       ret = getgrnam_r("users", &grpinfo, grpbuf, grpbufsize, &grpresult);
+       if((ret == 0) && (grpresult != NULL)) {
+               MS_DBG("getgrnam_r users success...\n");
+       } else {
+               MS_DBG_ERR("getgrnam_r users failed ret[%d]", ret);
+               goto END;
+       }
+
+       if (uid == getuid()) {  
                if (MS_STRING_VALID(MEDIA_ROOT_PATH_INTERNAL))
                        result_passwd = strndup(MEDIA_ROOT_PATH_INTERNAL, strlen(MEDIA_ROOT_PATH_INTERNAL));
        } else {
                char passwd_str[MAX_FILEPATH_LEN] = {0, };
-               struct passwd *userinfo = getpwuid(uid);
-               if (userinfo == NULL) {
-                       MS_DBG_ERR("getpwuid(%d) returns NULL !", uid);
-                       return NULL;
+               struct passwd pwdinfo;
+               struct passwd* pwdresult = NULL;
+               char* pwdbuf;
+               size_t pwdbufsize;
+
+               pwdbufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+               if (pwdbufsize == -1)           /* Value was indeterminate */
+                       pwdbufsize = 16384;             /* Should be more than enough (16*1024) */
+
+               pwdbuf = malloc(pwdbufsize);
+               if (pwdbuf == NULL) {
+                       MS_DBG_ERR("malloc pwdbuf pwdbufsize[%d] failed", pwdbufsize);
+                       goto END;
                }
-               grpinfo = getgrnam("users");
-               if (grpinfo == NULL) {
-                       MS_DBG_ERR("getgrnam(users) returns NULL !");
-                       return NULL;
+
+               ret = getpwuid_r(uid, &pwdinfo, pwdbuf, pwdbufsize, &pwdresult);
+               if((ret == 0) && (pwdresult != NULL)) {
+                       MS_DBG("getpwuid uid[%d] success\n", uid);
+               } else {
+                       MS_DBG_ERR("getpwuid uid[%d] failed ret[%d]", uid, ret);
+                       MS_SAFE_FREE(pwdbuf);
+                       goto END;
                }
+
                // Compare git_t type and not group name
-               if (grpinfo->gr_gid != userinfo->pw_gid) {
+               if (grpinfo.gr_gid != pwdinfo.pw_gid) {
                        MS_DBG_ERR("UID [%d] does not belong to 'users' group!", uid);
                        return NULL;
                }
-
-               len = snprintf(passwd_str, sizeof(passwd_str), "%s/%s", userinfo->pw_dir, MEDIA_CONTENT_PATH);
+       
+               len = snprintf(passwd_str, sizeof(passwd_str), "%s/%s", pwdinfo.pw_dir, MEDIA_CONTENT_PATH);
                if (len > 0)
                        result_passwd = strndup(passwd_str, len);
        }
 
+END:
+       MS_SAFE_FREE(grpbuf);
        return result_passwd;
 }