>Synopsis: useradd ignores invalid range specifiers
>Category: User
>Environment:
System : OpenBSD 6.4
Details : OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11
13:30:23 MDT 2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
useradd will ignore invalid range specifiers given on the command line
and (unexpectedly) continue executing with the default UID range.
>How-To-Repeat:
Provide an invalid range specifier when creating a user:
$ doas ./user add -r 10000-11000 foobar
user: Bad range `10000-11000'
The user (and group) will still be created, but with the default ID range.
>Fix:
Patch below causes the process to exit during argument parsing:
Index: usr.sbin/user/user.c
===================================================================
RCS file: /cvs/src/usr.sbin/user/user.c,v
retrieving revision 1.123
diff -u -p -u -r1.123 user.c
--- usr.sbin/user/user.c 15 Oct 2018 18:27:27 -0000 1.123
+++ usr.sbin/user/user.c 31 Dec 2018 13:58:43 -0000
@@ -1848,7 +1848,9 @@ useradd(int argc, char **argv)
break;
case 'r':
defaultfield = 1;
- (void) save_range(&u, optarg);
+ if (save_range(&u, optarg) == 0) {
+ errx(EXIT_FAILURE, "Error parsing uid range");
+ }
break;
case 's':
defaultfield = 1;
