src/login_nopam.c: Use iterative list_match

The recursive nature of list_match triggered regression during refactoring. In Linux-PAM, the same code exists which could lead to stack overflow because access.conf could be arbitrarily long. Use an iterative approach for easier refactoring, to support long lines in the future and to stay in sync with Linux-PAM. Signed-off-by: Tobias Stoeckmann <[email protected]>
shadow-maint · Jan 16, 2025 · 3d4878d · 3d4878d
1 parent f2c86df
commit 3d4878d
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/src/login_nopam.c b/src/login_nopam.c
@@ -149,33 +149,35 @@ list_match(char *list, const char *item, bool (*match_fn)(char *, const char*))
 	static const char  sep[] = ", \t";
 
 	char *tok;
+	bool inclusion = true;
+	bool matched = false;
+	bool result = false;
 
 	/*
 	 * Process tokens one at a time. We have exhausted all possible matches
 	 * when we reach an "EXCEPT" token or the end of the list. If we do find
-	 * a match, look for an "EXCEPT" list and recurse to determine whether
-	 * the match is affected by any exceptions.
+	 * a match, look for an "EXCEPT" list and determine whether the match is
+	 * affected by any exceptions.
 	 */
 	while (NULL != (tok = strsep(&list, sep))) {
-		if (strcasecmp (tok, "EXCEPT") == 0) {	/* EXCEPT: give up */
-			break;
+		if (strcasecmp (tok, "EXCEPT") == 0) {	/* EXCEPT: invert */
+			if (!matched) {	/* stop processing: not part of list */
+				break;
+			}
+			inclusion = !inclusion;
+			matched = false;
 		} else {
 			bool  match;
 
 			match = (*match_fn)(tok, item);
 			if (match) {
-				while (   (NULL != (tok = strsep(&list, sep)))
-				       && (strcasecmp (tok, "EXCEPT") != 0))
-					/* VOID */ ;
-				if (tok == NULL || !list_match(list, item, match_fn)) {
-					return (match);
-				}
-				break;
+				result = inclusion;
+				matched = true;
 			}
 		}
 	}
 
-	return false;
+	return result;
 }
 
 /* myhostname - figure out local machine name */