Created attachment 13155 [details] fix use of getgroups The function gain_root() (source3/smbd/sec_ctx.c) contains this line of code: ngroups = sys_getgroups(0,&grp); I'm not sure what was intended here, but it seems to me the function getgroups (for which sys_getgroups is an alias) isn't supposed to be used like this. If I compile samba with address sanitizer it'll report a buffer overflow in grp. When the first argument is 0 then getgroups isn't supposed to do anything with the second argument, so it can (and should) be a null pointer. This avoids the overflow. grp isn't used anywhere else. Patch attached. Here's the stack trace from address sanitizer: ==14194==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3c1a0d84 at pc 0x7feafbed89a1 bp 0x7fff3c1a0d40 sp 0x7fff3c1a04f0 WRITE of size 40 at 0x7fff3c1a0d84 thread T0 #0 0x7feafbed89a0 in getgroups (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x4e9a0) #1 0x7feafaf9a0f3 in get_current_groups ../source3/smbd/sec_ctx.c:156 #2 0x7feafaf9a0f3 in init_sec_ctx ../source3/smbd/sec_ctx.c:466 #3 0x56489a05e06d in main ../source3/smbd/server.c:1667 #4 0x7feaf6bc11e0 in __libc_start_main (/lib64/libc.so.6+0x201e0) #5 0x56489a060049 in _start (/usr/sbin/smbd+0x13049) Address 0x7fff3c1a0d84 is located in stack of thread T0 at offset 36 in frame #0 0x7feafaf99f5f in init_sec_ctx ../source3/smbd/sec_ctx.c:447 This frame has 1 object(s): [32, 36) 'grp' <== Memory access at offset 36 overflows this variable
Created attachment 13156 [details] git-am fix for master. I think this is a more complete fix here.
Created attachment 13160 [details] git-am fix for 4.6.next, 4.5.next. Cherry-picked from master.
Karolin, please add the patches to the relevant branches. Thanks.
Pushed to autobuild-v4-{5,6}-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!