Date: Wed, 12 Oct 2011 00:05:15 GMT From: Jeremy Huddleston <jeremyhu@apple.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/161509: usr.bin/newgrp has an off-by-1 error when checking ngrps Message-ID: <201110120005.p9C05FlL013538@red.freebsd.org> Resent-Message-ID: <201110120010.p9C0A73x025678@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 161509
>Category: misc
>Synopsis: usr.bin/newgrp has an off-by-1 error when checking ngrps
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 12 00:10:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Jeremy Huddleston
>Release: HEAD
>Organization:
Apple Inc
>Environment:
N/A
>Description:
newgrp.c currently does:
if (ngrps == ngrps_max)
... warn about too many groups
else
ngrps++
setgroups(ngrps, ...)
Thus the check for ngrps_max needs to be against ngrps + 1, not ngrps.
>How-To-Repeat:
call ngrp with your NGROUPS_MAXth group.
>Fix:
Line numbers will be offset due to local changes.
--- newgrp.c (revision 3269)
+++ newgrp.c (working copy)
@@ -143,7 +146,7 @@
if (initres < 0)
warn("initgroups");
if (setres < 0)
- warn("setgroups");
+ warn("setgid");
}
static void
@@ -227,7 +250,7 @@
/* Add old effective gid to supp. list if it does not exist. */
if (egid != grp->gr_gid && !inarray(egid, grps, ngrps)) {
- if (ngrps == ngrps_max)
+ if (ngrps + 1 >= ngrps_max)
warnx("too many groups");
else {
grps[ngrps++] = egid;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110120005.p9C05FlL013538>