From a247f2cf6f0faeec72aae99fab929037aa5edaab Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 27 May 2007 17:14:33 +0000 Subject: In ncp_conn_alloc(), a new credential pointer, 'owner', is set up to point at the credential to be used by the connection. However, the pointer's value was ignored when actually setting hcp->nc_owner. (1) Do set nc_owner to the owner pointer value so that the credential is not discarded after being carefully configured. (2) In the case where we create a new credential with modified uid, copy the existing credential to initialize non-uid fields to existing values, which will lead to a fully initialized MAC label, groups, etc. Found with: Coverity Prevent(tm) CID: 2226 --- sys/netncp/ncp_conn.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sys/netncp/ncp_conn.c b/sys/netncp/ncp_conn.c index 370b004..6987b61 100644 --- a/sys/netncp/ncp_conn.c +++ b/sys/netncp/ncp_conn.c @@ -223,10 +223,10 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred, if (cap->saddr.sa_family != AF_INET && cap->saddr.sa_family != AF_IPX) return EPROTONOSUPPORT; - isroot = ncp_suser(cred) == 0; /* - * Only root can change ownership + * Only root can change ownership. */ + isroot = ncp_suser(cred) == 0; if (cap->owner != NCP_DEFAULT_OWNER && !isroot) return EPERM; if (cap->group != NCP_DEFAULT_GROUP && @@ -234,6 +234,7 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred, return EPERM; if (cap->owner != NCP_DEFAULT_OWNER) { owner = crget(); + crcopy(owner, cred); owner->cr_uid = cap->owner; } else owner = crhold(cred); @@ -243,7 +244,7 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred, lockinit(&ncp->nc_lock, PZERO, "ncplck", 0, 0); ncp_conn_cnt++; ncp->nc_id = ncp_next_ref++; - ncp->nc_owner = cred; + ncp->nc_owner = owner; ncp->seq = 0; ncp->connid = 0xFFFF; ncp->li = *cap; -- cgit v1.1