Page MenuHomeFreeBSD
Files F115677368

D46912.diff
No OneTemporary
Actions

D46912.diff
View Options

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -815,6 +815,15 @@
gid_t *groups;
int gidsetsize, error;
+ /*
+ * Sanity check size now to avoid passing too big a value to copyin(),
+ * even if kern_setgroups() will do it again.
+ *
+ * Ideally, the 'gidsetsize' argument should have been a 'u_int' (and it
+ * was, in this implementation, for a long time), but POSIX standardized
+ * getgroups() to take an 'int' and it would be quite entrapping to have
+ * setgroups() differ.
+ */
gidsetsize = uap->gidsetsize;
if (gidsetsize > ngroups_max + 1 || gidsetsize < 0)
return (EINVAL);
@@ -843,13 +852,16 @@
}
int
-kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
+kern_setgroups(struct thread *td, int ngrp, gid_t *groups)
{
struct proc *p = td->td_proc;
struct ucred *newcred, *oldcred;
int error;
- MPASS(ngrp <= ngroups_max + 1);
+ /* Sanity check size. */
+ if (ngrp < 0 || ngrp > ngroups_max + 1)
+ return (EINVAL);
+
AUDIT_ARG_GROUPSET(groups, ngrp);
newcred = crget();
crextend(newcred, ngrp);
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -98,7 +98,7 @@
void audit_arg_ruid(uid_t ruid);
void audit_arg_sgid(gid_t sgid);
void audit_arg_suid(uid_t suid);
-void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
+void audit_arg_groupset(gid_t *gidset, int gidset_size);
void audit_arg_login(char *login);
void audit_arg_ctlname(int *name, int namelen);
void audit_arg_mask(int mask);
diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@@ -263,13 +263,13 @@
}
void
-audit_arg_groupset(gid_t *gidset, u_int gidset_size)
+audit_arg_groupset(gid_t *gidset, int gidset_size)
{
- u_int i;
+ int i;
struct kaudit_record *ar;
- KASSERT(gidset_size <= ngroups_max + 1,
- ("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
+ KASSERT(gidset_size >= 0 && gidset_size <= ngroups_max + 1,
+ ("audit_arg_groupset: gidset_size < 0 or > (kern.ngroups + 1)"));
ar = currecord();
if (ar == NULL)
diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h
--- a/sys/sys/syscallsubr.h
+++ b/sys/sys/syscallsubr.h
@@ -320,7 +320,7 @@
fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits);
int kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags,
struct mbuf *control, enum uio_seg segflg);
-int kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups);
+int kern_setgroups(struct thread *td, int ngrp, gid_t *groups);
int kern_setitimer(struct thread *, u_int, struct itimerval *,
struct itimerval *);
int kern_setpriority(struct thread *td, int which, int who, int prio);

File Metadata

Mime Type
text/plain
Expires
Mon, Apr 28, 12:07 AM (13 h, 34 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
17823391
Default Alt Text
D46912.diff (2 KB)

Event Timeline