From 39d285839326931233653586fe8b30d9d4223bf2 Mon Sep 17 00:00:00 2001 From: tjr Date: Tue, 21 Oct 2003 11:00:33 +0000 Subject: Reject negative ngrp arguments in linux_setgroups() and linux_setgroups16(); stops users being able to cause setgroups to clobber the kernel stack by copying in data past the end of the linux_gidset array. --- sys/compat/linux/linux_uid16.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sys/compat/linux/linux_uid16.c') diff --git a/sys/compat/linux/linux_uid16.c b/sys/compat/linux/linux_uid16.c index 39dbfcd..06318eb 100644 --- a/sys/compat/linux/linux_uid16.c +++ b/sys/compat/linux/linux_uid16.c @@ -100,7 +100,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args) #endif ngrp = args->gidsetsize; - if (ngrp >= NGROUPS) + if (ngrp < 0 || ngrp >= NGROUPS) return (EINVAL); error = copyin(args->gidset, linux_gidset, ngrp * sizeof(l_gid16_t)); if (error) -- cgit v1.1