When copying gr_mem we must guarantee that the storage space for

gr_mem is properly aligned.  The simplest way to do this is to
simply store gr_mem directly after struct group.  This is not a
problem for gr_passwd or gr_name as they are simple strings.

diff --git a/pwutil.c b/pwutil.c
index 1b0224b7db27274dc823c785a320b7156758b26c..f8ddac83940467f67a8e2bb84f1071e3bbe2ef8f 100644 (file)
--- a/pwutil.c
+++ b/pwutil.c
@@ -458,12 +458,11 @@ sudo_grdup(gr)
 
     /*
      * Copy in group contents and make strings relative to space
-     * at the end of the buffer.
+     * at the end of the buffer.  Note that gr_mem must come
+     * immediately after struct group to guarantee proper alignment.
      */
     (void)memcpy(newgr, gr, sizeof(struct group));
     cp += sizeof(struct group);
-    FIELD_COPY(gr, newgr, gr_name, nsize);
-    FIELD_COPY(gr, newgr, gr_passwd, psize);
     if (gr->gr_mem) {
        newgr->gr_mem = (char **)cp;
        cp += sizeof(char *) * nmem;
@@ -475,6 +474,8 @@ sudo_grdup(gr)
        }
        newgr->gr_mem[nmem] = NULL;
     }
+    FIELD_COPY(gr, newgr, gr_passwd, psize);
+    FIELD_COPY(gr, newgr, gr_name, nsize);
 
     return(newgr);
 }