From: Dan K. <da...@ke...> - 2003-06-30 15:27:30
|
It looks like none of the tests in ltp-full-20030606/testcases/kernel/syscalls/getgroups/*.c test the case where you have 39 groups where 39 is greater than NGROUPS, /usr/include/asm/param.h:#define NGROUPS 32 Looks like glibc might have a crash in this case. - Dan -------- Original Message -------- Subject: [Volker.Lendecke@SerNet.DE: glibc 2.2.5 and 2.3.2 getgrouplist broken?] Date: Mon, 30 Jun 2003 10:38:52 +0200 From: Volker Lendecke <Volker.Lendecke@SerNet.DE> Reply-To: Volker.Lendecke@SerNet.DE Organization: Service Network GmbH, Goettingen, Germany To: lib...@so... Hi! I was asked to forward this bug report here. Please excuse my strong wording at the end, it took me really a while to see that this *might* not be a Samba problem... Volker ----- Forwarded message from Volker Lendecke <Volker.Lendecke@SerNet.DE> ----- Date: Fri, 27 Jun 2003 17:47:17 +0200 From: Volker Lendecke <Volker.Lendecke@SerNet.DE> To: sam...@sa... Subject: glibc 2.2.5 and 2.3.2 getgrouplist broken? Sender: Volker Lendecke <vl...@se...> Hi! I've just tried to chase down a segfault in Samba. The Realloc in auth_util.c:670 segfaulted for a customer of mine on a glibc system. The problem is that he had a user with 39 groups in /etc/group imported via winbind. Ok, this is too much, but at least we should not segfault. But it's not samba's fault: It's the libc's getgrouplist function. The following is the code from the debian libc6 2.2.5 source package for getgrouplist: /* Store at most *NGROUPS members of the group set for USER into *GROUPS. Also include GROUP. The actual number of groups found is returned in *NGROUPS. Return -1 if the if *NGROUPS is too small. */ int getgrouplist (const char *user, gid_t group, gid_t *groups, int *ngroups) { gid_t *newgroups; long int size = *ngroups; int result; newgroups = (gid_t *) malloc (size * sizeof (gid_t)); if (__builtin_expect (newgroups == NULL, 0)) /* No more memory. */ return -1; result = internal_getgrouplist (user, group, &size, &newgroups, -1); if (result > *ngroups) { *ngroups = result; result = -1; } else *ngroups = result; memcpy (groups, newgroups, *ngroups * sizeof (gid_t)); free (newgroups); return result; } The memcpy simply assumes to have room in the "groups" array for anything that it finds in /etc/group. We allocate NGROUPS_MAX for the array and hand that to libc which then happily overwrites past the end of the array. To me this does not really look usable. BTW, the code in glibc-2.3.2 looks exactly the same. So what do you think about never using that crap? Volker ----- End forwarded message ----- -- Dan Kegel http://www.kegel.com http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=78045 |