Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Apr 2018 14:05:49 +0300
From:      Andriy Gapon <avg@FreeBSD.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        src-committers@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org
Subject:   Re: svn commit: r332559 - head/usr.sbin/mountd
Message-ID:  <84a443f7-ce41-0de4-cd6e-d7c450eb1460@FreeBSD.org>
In-Reply-To: <20180416105611.GG1774@kib.kiev.ua>
References:  <201804160917.w3G9HaCN081290@repo.freebsd.org> <20180416105611.GG1774@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16/04/2018 13:56, Konstantin Belousov wrote:
> On Mon, Apr 16, 2018 at 09:17:36AM +0000, Andriy Gapon wrote:
>> Author: avg
>> Date: Mon Apr 16 09:17:36 2018
>> New Revision: 332559
>> URL: https://svnweb.freebsd.org/changeset/base/332559
>>
>> Log:
>>   mountd: fix a crash when getgrouplist reports too many groups
>>   
>>   Previously the code only warned about the condition and then happily
>>   proceeded to use the too large value resulting in the array
>>   out-of-bounds access.
>>   
>>   Obtained from:	Panzura (Chuanbo Zheng)
>>   MFC after:	10 days
>>   Sponsored by:	Panzura
>>
>> Modified:
>>   head/usr.sbin/mountd/mountd.c
>>
>> Modified: head/usr.sbin/mountd/mountd.c
>> ==============================================================================
>> --- head/usr.sbin/mountd/mountd.c	Mon Apr 16 08:41:44 2018	(r332558)
>> +++ head/usr.sbin/mountd/mountd.c	Mon Apr 16 09:17:36 2018	(r332559)
>> @@ -2915,8 +2915,11 @@ parsecred(char *namelist, struct xucred *cr)
>>  		}
>>  		cr->cr_uid = pw->pw_uid;
>>  		ngroups = XU_NGROUPS + 1;
>> -		if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups))
>> +		if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups)) {
>>  			syslog(LOG_ERR, "too many groups");
>> +			ngroups = XU_NGROUPS + 1;
> Why XU_NGROUPS and not the value of sysctl("kern.ngroups") ?

Two reasons:

1. it's what the code already used
2. the groups are placed into struct xucred and later that struct is passed to
kernel, so in my opinion it's xucred that defines the limit in this case


-- 
Andriy Gapon

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84a443f7-ce41-0de4-cd6e-d7c450eb1460>