The Samba-Bugzilla – Attachment 13156 Details for
Bug 12747
wrong use of getgroups causes buffer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
look (text/plain), 2.73 KB, created by
Jeremy Allison
on 2017-04-17 21:46:10 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-04-17 21:46:10 UTC
Size:
2.73 KB
patch
obsolete
>From f0365ad3e37a5d27fa7d86e86458f3a79bede377 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 17 Apr 2017 14:30:04 -0700 >Subject: [PATCH 1/2] s3: lib: Fix incorrect logic in sys_broken_getgroups(). > >If setlen == 0 then the second argument must be ignored. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/system.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > >diff --git a/source3/lib/system.c b/source3/lib/system.c >index 3d3eeeda7c4..99462b631c7 100644 >--- a/source3/lib/system.c >+++ b/source3/lib/system.c >@@ -790,12 +790,11 @@ int groups_max(void) > > static int sys_broken_getgroups(int setlen, gid_t *gidset) > { >- GID_T gid; > GID_T *group_list; > int i, ngroups; > > if(setlen == 0) { >- return getgroups(setlen, &gid); >+ return getgroups(0, NULL); > } > > /* >@@ -808,9 +807,6 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) > return -1; > } > >- if (setlen == 0) >- setlen = groups_max(); >- > if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) { > DEBUG(0,("sys_getgroups: Malloc fail.\n")); > return -1; >@@ -823,6 +819,12 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) > return -1; > } > >+ /* >+ * We're safe here as if ngroups > setlen then >+ * getgroups *must* return EINVAL. >+ * pubs.opengroup.org/onlinepubs/009695399/functions/getgroups.html >+ */ >+ > for(i = 0; i < ngroups; i++) > gidset[i] = (gid_t)group_list[i]; > >-- >2.12.2.762.g0e3151a226-goog > > >From 9c13408aba1553d438e0c26616dd2d38857cade4 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 17 Apr 2017 14:30:54 -0700 >Subject: [PATCH 2/2] s3: smbd: Fix incorrect use of sys_getgroups(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Second arg must be NULL when first arg is 0 (it >is in all other places). > >Bug report and patch from Hanno Böck <hanno@hboeck.de> > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/sec_ctx.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source3/smbd/sec_ctx.c b/source3/smbd/sec_ctx.c >index 33d987fbe70..5e0710e0ecb 100644 >--- a/source3/smbd/sec_ctx.c >+++ b/source3/smbd/sec_ctx.c >@@ -139,7 +139,6 @@ static void gain_root(void) > static int get_current_groups(gid_t gid, uint32_t *p_ngroups, gid_t **p_groups) > { > int i; >- gid_t grp; > int ngroups; > gid_t *groups = NULL; > >@@ -153,7 +152,7 @@ static int get_current_groups(gid_t gid, uint32_t *p_ngroups, gid_t **p_groups) > set_effective_gid(gid); > samba_setgid(gid); > >- ngroups = sys_getgroups(0,&grp); >+ ngroups = sys_getgroups(0, NULL); > if (ngroups <= 0) { > goto fail; > } >-- >2.12.2.762.g0e3151a226-goog >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13156">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12747
:
13155
|
13156
|
13160