diff --git a/src/libsystemd/sd-event/event-util.c b/src/libsystemd/sd-event/event-util.c index 482df37225..9e0dbd30c3 100644 --- a/src/libsystemd/sd-event/event-util.c +++ b/src/libsystemd/sd-event/event-util.c @@ -274,16 +274,17 @@ int event_forward_signals( return -ENOMEM; FOREACH_ARRAY(sig, signals, n_signals) { - r = sd_event_add_signal(e, &sources[n_sources], *sig | SD_EVENT_SIGNAL_PROCMASK, event_forward_signal_callback, child); + _cleanup_(sd_event_source_unrefp) sd_event_source *s = NULL; + r = sd_event_add_signal(e, &s, *sig | SD_EVENT_SIGNAL_PROCMASK, event_forward_signal_callback, child); if (r < 0) return r; - r = sd_event_source_set_destroy_callback(sources[n_sources], event_forward_signal_destroy); + r = sd_event_source_set_destroy_callback(s, event_forward_signal_destroy); if (r < 0) return r; sd_event_source_ref(child); - n_sources++; + sources[n_sources++] = TAKE_PTR(s); } *ret_sources = TAKE_PTR(sources); diff --git a/src/shared/group-record.c b/src/shared/group-record.c index 911c6c8f0b..04989eb63a 100644 --- a/src/shared/group-record.c +++ b/src/shared/group-record.c @@ -344,12 +344,15 @@ bool group_record_matches_group_name(const GroupRecord *g, const char *group_nam return false; } -int group_record_match(GroupRecord *h, const UserDBMatch *match) { +bool group_record_match(GroupRecord *h, const UserDBMatch *match) { assert(h); if (!match) return true; + if (!gid_is_valid(h->gid)) + return false; + if (h->gid < match->gid_min || h->gid > match->gid_max) return false; diff --git a/src/shared/group-record.h b/src/shared/group-record.h index 5705fe2511..ee8d399577 100644 --- a/src/shared/group-record.h +++ b/src/shared/group-record.h @@ -43,7 +43,7 @@ int group_record_load(GroupRecord *h, sd_json_variant *v, UserRecordLoadFlags fl int group_record_build(GroupRecord **ret, ...); int group_record_clone(GroupRecord *g, UserRecordLoadFlags flags, GroupRecord **ret); -int group_record_match(GroupRecord *h, const UserDBMatch *match); +bool group_record_match(GroupRecord *h, const UserDBMatch *match); const char* group_record_group_name_and_realm(GroupRecord *h); UserDisposition group_record_disposition(GroupRecord *h); diff --git a/src/shared/user-record.c b/src/shared/user-record.c index 4817bec073..89ba2fbef4 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -2769,12 +2769,15 @@ bool user_name_fuzzy_match(const char *names[], size_t n_names, char **matches) return false; } -int user_record_match(UserRecord *u, const UserDBMatch *match) { +bool user_record_match(UserRecord *u, const UserDBMatch *match) { assert(u); if (!match) return true; + if (!uid_is_valid(u->uid)) + return false; + if (u->uid < match->uid_min || u->uid > match->uid_max) return false; diff --git a/src/shared/user-record.h b/src/shared/user-record.h index 8f58c5ca93..fcd2685554 100644 --- a/src/shared/user-record.h +++ b/src/shared/user-record.h @@ -532,7 +532,7 @@ static inline void userdb_match_done(UserDBMatch *match) { } bool user_name_fuzzy_match(const char *names[], size_t n_names, char **matches); -int user_record_match(UserRecord *u, const UserDBMatch *match); +bool user_record_match(UserRecord *u, const UserDBMatch *match); bool user_record_matches_user_name(const UserRecord *u, const char *username); diff --git a/src/shared/userdb.c b/src/shared/userdb.c index ea352de000..a420504b0c 100644 --- a/src/shared/userdb.c +++ b/src/shared/userdb.c @@ -915,10 +915,7 @@ int userdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flags /* NB: we always apply our own filtering here, explicitly, regardless if the server supported it or * not. It's more robust this way, we never know how carefully the server is written, and whether it * properly implements all details of the filtering logic. */ - r = user_record_match(ur, match); - if (r < 0) - return r; - if (r == 0) + if (!user_record_match(ur, match)) return -ENOEXEC; if (ret) @@ -1001,10 +998,7 @@ int userdb_by_uid(uid_t uid, const UserDBMatch *match, UserDBFlags flags, UserRe return r; } - r = user_record_match(ur, match); - if (r < 0) - return r; - if (r == 0) + if (!user_record_match(ur, match)) return -ENOEXEC; if (ret) @@ -1347,16 +1341,13 @@ int groupdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flag } /* As above, we apply our own client-side filtering even if server-side filtering worked, for robustness and simplicity reasons. */ - r = group_record_match(gr, match); - if (r < 0) - return r; - if (r == 0) + if (!group_record_match(gr, match)) return -ENOEXEC; if (ret) *ret = TAKE_PTR(gr); - return r; + return 0; } static int groupdb_by_gid_fallbacks( @@ -1432,10 +1423,7 @@ int groupdb_by_gid(gid_t gid, const UserDBMatch *match, UserDBFlags flags, Group return r; } - r = group_record_match(gr, match); - if (r < 0) - return r; - if (r == 0) + if (!group_record_match(gr, match)) return -ENOEXEC; if (ret) diff --git a/test/units/TEST-13-NSPAWN.nss-mymachines.sh b/test/units/TEST-13-NSPAWN.nss-mymachines.sh index 817431b449..cfae33b1b3 100755 --- a/test/units/TEST-13-NSPAWN.nss-mymachines.sh +++ b/test/units/TEST-13-NSPAWN.nss-mymachines.sh @@ -114,8 +114,8 @@ for i in {100..120}; do run_and_grep "^10\.2\.0\.$i\s+STREAM" getent ahostsv4 -s mymachines nss-mymachines-manyips done run_and_grep "^fd00:dead:beef:cafe::2\s+STREAM" getent ahostsv6 -s mymachines nss-mymachines-manyips -(! run_and_grep "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips) -(! run_and_grep "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips) +run_and_grep -n "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips +run_and_grep -n "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips # Multiple machines at once run_and_grep "^10\.1\.0\.2\s+nss-mymachines-singleip$" getent hosts -s mymachines nss-mymachines-{singleip,manyips}