From 39d285839326931233653586fe8b30d9d4223bf2 Mon Sep 17 00:00:00 2001 From: tjr Date: Tue, 21 Oct 2003 11:00:33 +0000 Subject: Reject negative ngrp arguments in linux_setgroups() and linux_setgroups16(); stops users being able to cause setgroups to clobber the kernel stack by copying in data past the end of the linux_gidset array. --- sys/compat/linux/linux_misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sys/compat/linux/linux_misc.c') diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index f271482..56b20f3 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -989,7 +989,7 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args) struct proc *p; ngrp = args->gidsetsize; - if (ngrp >= NGROUPS) + if (ngrp < 0 || ngrp >= NGROUPS) return (EINVAL); error = copyin(args->grouplist, linux_gidset, ngrp * sizeof(l_gid_t)); if (error) -- cgit v1.1