diff options
| author | tjr <tjr@FreeBSD.org> | 2003-10-21 11:00:33 +0000 |
|---|---|---|
| committer | tjr <tjr@FreeBSD.org> | 2003-10-21 11:00:33 +0000 |
| commit | 39d285839326931233653586fe8b30d9d4223bf2 (patch) | |
| tree | f53aed1acdd4b2683ac1f22d7277e9a5b5fc44cb /sys/compat/linux/linux_uid16.c | |
| parent | b85e19be51a849328cd3196610b8be7f113beeee (diff) | |
| download | FreeBSD-src-39d285839326931233653586fe8b30d9d4223bf2.zip FreeBSD-src-39d285839326931233653586fe8b30d9d4223bf2.tar.gz | |
Reject negative ngrp arguments in linux_setgroups() and linux_setgroups16();
stops users being able to cause setgroups to clobber the kernel stack by
copying in data past the end of the linux_gidset array.
Diffstat (limited to 'sys/compat/linux/linux_uid16.c')
| -rw-r--r-- | sys/compat/linux/linux_uid16.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_uid16.c b/sys/compat/linux/linux_uid16.c index 39dbfcd..06318eb 100644 --- a/sys/compat/linux/linux_uid16.c +++ b/sys/compat/linux/linux_uid16.c @@ -100,7 +100,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args) #endif ngrp = args->gidsetsize; - if (ngrp >= NGROUPS) + if (ngrp < 0 || ngrp >= NGROUPS) return (EINVAL); error = copyin(args->gidset, linux_gidset, ngrp * sizeof(l_gid16_t)); if (error) |
