Introduce a version field to `struct xucred' in place of one of the

spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being).  Accordingly, change users of
xucred to set and check this field as appropriate.  In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former.  This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by:	rwatson

13 files changed, 38 insertions, 50 deletions

diff --git a/lib/libc/gen/getpeereid.3 b/lib/libc/gen/getpeereid.3
index 94ed61e..e124d0a 100644
--- a/lib/libc/gen/getpeereid.3
+++ b/lib/libc/gen/getpeereid.3
@@ -118,7 +118,8 @@ have been called.
 The argument
 .Fa s
 does not refer to a socket of type
-.Dv SOCK_STREAM .
+.Dv SOCK_STREAM ,
+or the kernel returned invalid data.
 .El
 .Sh SEE ALSO
 .Xr connect 2 ,
diff --git a/lib/libc/gen/getpeereid.c b/lib/libc/gen/getpeereid.c
index 7d0c577..b64ff54 100644
--- a/lib/libc/gen/getpeereid.c
+++ b/lib/libc/gen/getpeereid.c
@@ -32,6 +32,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/ucred.h>
 #include <sys/un.h>
 
+#include <errno.h>
 #include <unistd.h>
 
 int
@@ -45,6 +46,8 @@ getpeereid(int s, uid_t *euid, gid_t *egid)
 	error = getsockopt(s, LOCAL_PEERCRED, 1, &xuc, &xuclen);
 	if (error != 0)
 		return (error);
+	if (xuc.cr_version != XUCRED_VERSION)
+		return (EINVAL);
 	*euid = xuc.cr_uid;
 	*egid = xuc.cr_gid;
 	return (0);
diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c
index b3f220e..862b61b 100644
--- a/sbin/mountd/mountd.c
+++ b/sbin/mountd/mountd.c
@@ -211,7 +211,7 @@ struct mountlist *mlhead;
 struct grouplist *grphead;
 char exname[MAXPATHLEN];
 struct xucred def_anon = {
-	0,
+	XUCRED_VERSION,
 	(uid_t)-2,
 	1,
 	{ (gid_t)-2 },
@@ -2050,6 +2050,7 @@ parsecred(namelist, cr)
 	struct group *gr;
 	int ngroups, groups[NGROUPS + 1];
 
+	cr->cr_version = XUCRED_VERSION;
 	/*
 	 * Set up the unprivileged user.
 	 */
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 615709e..56f7895 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1760,6 +1760,22 @@ crdup(cr)
 }
 
 /*
+ * Fill in a struct xucred based on a struct ucred.
+ */
+void
+cru2x(cr, xcr)
+	struct ucred *cr;
+	struct xucred *xcr;
+{
+
+	bzero(xcr, sizeof(*xcr));
+	xcr->cr_version = XUCRED_VERSION;
+	xcr->cr_uid = cr->cr_uid;
+	xcr->cr_ngroups = cr->cr_ngroups;
+	bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
+}
+
+/*
  * small routine to swap a thread's current ucred for the correct one
  * taken from the process.
  */
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 6bc58f2..a6522607 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -717,11 +717,7 @@ unp_connect(so, nam, td)
 		 * from its process structure at the time of connect()
 		 * (which is now).
 		 */
-		memset(&unp3->unp_peercred, '\0', sizeof(unp3->unp_peercred));
-		unp3->unp_peercred.cr_uid = td->td_proc->p_ucred->cr_uid;
-		unp3->unp_peercred.cr_ngroups = td->td_proc->p_ucred->cr_ngroups;
-		memcpy(unp3->unp_peercred.cr_groups, td->td_proc->p_ucred->cr_groups,
-		    sizeof(unp3->unp_peercred.cr_groups));
+		cru2x(td->td_proc->p_ucred, &unp3->unp_peercred);
 		unp3->unp_flags |= UNP_HAVEPC;
 		/*
 		 * The receiver's (server's) credentials are copied
@@ -1427,11 +1423,7 @@ unp_listen(unp, p)
 	struct proc *p;
 {
 
-	bzero(&unp->unp_peercred, sizeof(unp->unp_peercred));
-	unp->unp_peercred.cr_uid = p->p_ucred->cr_uid;
-	unp->unp_peercred.cr_ngroups = p->p_ucred->cr_ngroups;
-	bcopy(p->p_ucred->cr_groups, unp->unp_peercred.cr_groups,
-	    sizeof(unp->unp_peercred.cr_groups));
+	cru2x(p->p_ucred, &unp->unp_peercred);
 	unp->unp_flags |= UNP_HAVEPCCACHED;
 	return (0);
 }
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index d79b816..99b50a5 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -922,11 +922,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
 	error = cr_cansee(req->td->td_proc->p_ucred, inp->inp_socket->so_cred);
 	if (error)
 		goto out;
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
@@ -978,11 +974,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
 	error = cr_cansee(req->td->td_proc->p_ucred, inp->inp_socket->so_cred);
 	if (error)
 		goto out;
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index d79b816..99b50a5 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -922,11 +922,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
 	error = cr_cansee(req->td->td_proc->p_ucred, inp->inp_socket->so_cred);
 	if (error)
 		goto out;
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
@@ -978,11 +974,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
 	error = cr_cansee(req->td->td_proc->p_ucred, inp->inp_socket->so_cred);
 	if (error)
 		goto out;
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 6eeb3a1..047a5d4 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -651,11 +651,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
 	error = cr_cansee(req->td->td_proc->p_ucred, inp->inp_socket->so_cred);
 	if (error)
 		goto out;
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 09fd898..2861f7f 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -486,11 +486,7 @@ udp6_getcred(SYSCTL_HANDLER_ARGS)
 		error = ENOENT;
 		goto out;
 	}
-	bzero(&xuc, sizeof(xuc));
-	xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
-	xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
-	bcopy(inp->inp_socket->so_cred->cr_groups, xuc.cr_groups,
-	    sizeof(xuc.cr_groups));
+	cru2x(inp->inp_socket->so_cred, &xuc);
 	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 out:
 	splx(s);
diff --git a/sys/security/lomac/kernel_socket.c b/sys/security/lomac/kernel_socket.c
index 541822b..3ed2ee1 100644
--- a/sys/security/lomac/kernel_socket.c
+++ b/sys/security/lomac/kernel_socket.c
@@ -265,11 +265,7 @@ lomac_local_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 		 * from its process structure at the time of connect()
 		 * (which is now).
 		 */
-		memset(&unp3->unp_peercred, '\0', sizeof(unp3->unp_peercred));
-		unp3->unp_peercred.cr_uid = td->td_proc->p_ucred->cr_uid;
-		unp3->unp_peercred.cr_ngroups = td->td_proc->p_ucred->cr_ngroups;
-		memcpy(unp3->unp_peercred.cr_groups, td->td_proc->p_ucred->cr_groups,
-		    sizeof(unp3->unp_peercred.cr_groups));
+		cru2x(td->td_proc->p_ucred, &unp3->unp_peercred);
 		unp3->unp_flags |= UNP_HAVEPC;
 		/*
 		 * The receiver's (server's) credentials are copied
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index 03d4337..ed0d576 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -73,12 +73,13 @@ struct ucred {
  * any need to change the size of this or layout of its used fields.
  */
 struct xucred {
-	u_short	_cr_unused0;		/* compatibility with old ucred */
+	u_int	cr_version;		/* structure layout version */
 	uid_t	cr_uid;			/* effective user id */
 	short	cr_ngroups;		/* number of groups */
 	gid_t	cr_groups[NGROUPS];	/* groups */
 	void	*_cr_unused1;		/* compatibility with old ucred */
 };
+#define	XUCRED_VERSION	0
 
 #ifdef _KERNEL
 
@@ -96,6 +97,7 @@ void		crfree(struct ucred *cr);
 struct ucred	*crget(void);
 struct ucred	*crhold(struct ucred *cr);
 int		crshared(struct ucred *cr);
+void		cru2x(struct ucred *cr, struct xucred *xcr);
 int		groupmember(gid_t gid, struct ucred *cred);
 #endif /* _KERNEL */
 
diff --git a/usr.sbin/inetd/builtins.c b/usr.sbin/inetd/builtins.c
index 433c645..08c3c56 100644
--- a/usr.sbin/inetd/builtins.c
+++ b/usr.sbin/inetd/builtins.c
@@ -569,7 +569,7 @@ ident_stream(s, sep)		/* Ident service (AKA "auth") */
 		getcredfail = EAFNOSUPPORT;
 		break;
 	}
-	if (getcredfail != 0) {
+	if (getcredfail != 0 || uc.cr_version != XUCRED_VERSION) {
 		if (*idbuf == '\0')
 			iderror(lport, fport, s,
 			    getcredfail == ENOENT ? ID_NOUSER : ID_UNKNOWN);
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index b3f220e..862b61b 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -211,7 +211,7 @@ struct mountlist *mlhead;
 struct grouplist *grphead;
 char exname[MAXPATHLEN];
 struct xucred def_anon = {
-	0,
+	XUCRED_VERSION,
 	(uid_t)-2,
 	1,
 	{ (gid_t)-2 },
@@ -2050,6 +2050,7 @@ parsecred(namelist, cr)
 	struct group *gr;
 	int ngroups, groups[NGROUPS + 1];
 
+	cr->cr_version = XUCRED_VERSION;
 	/*
 	 * Set up the unprivileged user.
 	 */