The Samba-Bugzilla – Attachment 13160 Details for
Bug 12747
wrong use of getgroups causes buffer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.6.next, 4.5.next.
look (text/plain), 3.08 KB, created by
Jeremy Allison
on 2017-04-19 00:35:01 UTC
(
hide
)
Description:
git-am fix for 4.6.next, 4.5.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-04-19 00:35:01 UTC
Size:
3.08 KB
patch
obsolete
>From 3df4092261b0ebf8b6273ff3a4872aab9ca37966 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 17 Apr 2017 14:30:04 -0700 >Subject: [PATCH 1/2] s3:lib: Fix incorrect logic in sys_broken_getgroups() > >If setlen == 0 then the second argument must be ignored. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 60af864f751706c48b8af448700bf06e33e45946) >--- > source3/lib/system.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > >diff --git a/source3/lib/system.c b/source3/lib/system.c >index 3d3eeeda7c4..99462b631c7 100644 >--- a/source3/lib/system.c >+++ b/source3/lib/system.c >@@ -790,12 +790,11 @@ int groups_max(void) > > static int sys_broken_getgroups(int setlen, gid_t *gidset) > { >- GID_T gid; > GID_T *group_list; > int i, ngroups; > > if(setlen == 0) { >- return getgroups(setlen, &gid); >+ return getgroups(0, NULL); > } > > /* >@@ -808,9 +807,6 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) > return -1; > } > >- if (setlen == 0) >- setlen = groups_max(); >- > if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) { > DEBUG(0,("sys_getgroups: Malloc fail.\n")); > return -1; >@@ -823,6 +819,12 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) > return -1; > } > >+ /* >+ * We're safe here as if ngroups > setlen then >+ * getgroups *must* return EINVAL. >+ * pubs.opengroup.org/onlinepubs/009695399/functions/getgroups.html >+ */ >+ > for(i = 0; i < ngroups; i++) > gidset[i] = (gid_t)group_list[i]; > >-- >2.12.2.816.g2cccc81164-goog > > >From ce99e462b62aa4e276f6283604cf4e57c0b865c1 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 17 Apr 2017 14:30:54 -0700 >Subject: [PATCH 2/2] s3:smbd: Fix incorrect use of sys_getgroups() >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Second arg must be NULL when first arg is 0 (it is in all other places). > >Bug report and patch from Hanno Böck <hanno@hboeck.de> > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144 > >(cherry picked from commit 76b351e907f67cc7d4af4e7d800c7a3aa1269ee8) >--- > source3/smbd/sec_ctx.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source3/smbd/sec_ctx.c b/source3/smbd/sec_ctx.c >index 33d987fbe70..5e0710e0ecb 100644 >--- a/source3/smbd/sec_ctx.c >+++ b/source3/smbd/sec_ctx.c >@@ -139,7 +139,6 @@ static void gain_root(void) > static int get_current_groups(gid_t gid, uint32_t *p_ngroups, gid_t **p_groups) > { > int i; >- gid_t grp; > int ngroups; > gid_t *groups = NULL; > >@@ -153,7 +152,7 @@ static int get_current_groups(gid_t gid, uint32_t *p_ngroups, gid_t **p_groups) > set_effective_gid(gid); > samba_setgid(gid); > >- ngroups = sys_getgroups(0,&grp); >+ ngroups = sys_getgroups(0, NULL); > if (ngroups <= 0) { > goto fail; > } >-- >2.12.2.816.g2cccc81164-goog >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13160">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 12747
:
13155
|
13156
| 13160