Bugzilla – Attachment 550 Details for
Bug 787
Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
NGROUPS patch with our own get_ngroups()
openssh-NGROUPS-5.diff (text/plain), 3.92 KB, created by
Tim Hockin
on 2004-02-24 11:26:22 AEDT
(
hide
)
Description:
NGROUPS patch with our own get_ngroups()
Filename:
MIME Type:
Creator:
Tim Hockin
Created:
2004-02-24 11:26:22 AEDT
Size:
3.92 KB
patch
obsolete
>Index: uidswap.c >=================================================================== >RCS file: /cvs/openssh/uidswap.c,v >retrieving revision 1.42 >diff -u -u -r1.42 uidswap.c >--- uidswap.c 17 Dec 2003 07:53:26 -0000 1.42 >+++ uidswap.c 24 Feb 2004 00:20:12 -0000 >@@ -16,6 +16,7 @@ > > #include "log.h" > #include "uidswap.h" >+#include "xmalloc.h" > > /* > * Note: all these functions must work in all of the following cases: >@@ -38,7 +39,7 @@ > /* Saved effective uid. */ > static int privileged = 0; > static int temporarily_use_uid_effective = 0; >-static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; >+static gid_t *saved_egroups, *user_groups; > static int saved_egroupslen = -1, user_groupslen = -1; > > /* >@@ -68,18 +69,38 @@ > > privileged = 1; > temporarily_use_uid_effective = 1; >- saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); >+ >+ saved_egroupslen = getgroups(0, NULL); > if (saved_egroupslen < 0) > fatal("getgroups: %.100s", strerror(errno)); >+ if (saved_egroupslen > 0) { >+ saved_egroups = xrealloc(saved_egroups, >+ saved_egroupslen * sizeof(gid_t)); >+ if (getgroups(saved_egroupslen, saved_egroups) < 0) >+ fatal("getgroups: %.100s", strerror(errno)); >+ } else { /* saved_egroupslen == 0 */ >+ if (saved_egroups) >+ xfree(saved_egroups); >+ } > > /* set and save the user's groups */ > if (user_groupslen == -1) { > if (initgroups(pw->pw_name, pw->pw_gid) < 0) > fatal("initgroups: %s: %.100s", pw->pw_name, > strerror(errno)); >- user_groupslen = getgroups(NGROUPS_MAX, user_groups); >+ >+ user_groupslen = getgroups(0, NULL); > if (user_groupslen < 0) > fatal("getgroups: %.100s", strerror(errno)); >+ if (user_groupslen > 0) { >+ user_groups = xrealloc(user_groups, >+ user_groupslen * sizeof(gid_t)); >+ if (getgroups(user_groupslen, user_groups) < 0) >+ fatal("getgroups: %.100s", strerror(errno)); >+ } else { /* user_groupslen == 0 */ >+ if (user_groups) >+ xfree(user_groups); >+ } > } > /* Set the effective uid to the given (unprivileged) uid. */ > if (setgroups(user_groupslen, user_groups) < 0) >Index: groupaccess.c >=================================================================== >RCS file: /cvs/openssh/groupaccess.c,v >retrieving revision 1.7 >diff -u -u -r1.7 groupaccess.c >--- groupaccess.c 14 May 2003 03:40:07 -0000 1.7 >+++ groupaccess.c 24 Feb 2004 00:20:12 -0000 >@@ -31,7 +31,39 @@ > #include "log.h" > > static int ngroups; >-static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ >+static char **groups_byname; >+ >+/* >+ * Count group membership from the groups database. Some implementations of >+ * getgrouplist() are not happy to return the right number of groups. >+ */ >+static int >+get_ngroups(const char *user, gid_t base) >+{ >+ int ngroups = 1; >+ >+ while (1) { >+ struct group *gr = getgrent(); >+ char **memberp; >+ >+ if (gr == NULL) >+ break; >+ >+ /* we already know we're part of the base group */ >+ if (gr->gr_gid == base) >+ continue; >+ >+ memberp = gr->gr_mem; >+ while (*memberp) { >+ if (!strcmp(user, *memberp)) >+ ngroups++; >+ memberp++; >+ } >+ } >+ endgrent(); >+ >+ return ngroups; >+} > > /* > * Initialize group access list for user with primary (base) and >@@ -40,19 +72,23 @@ > int > ga_init(const char *user, gid_t base) > { >- gid_t groups_bygid[NGROUPS_MAX + 1]; >+ gid_t *groups_bygid; > int i, j; > struct group *gr; > > if (ngroups > 0) > ga_free(); > >- ngroups = sizeof(groups_bygid) / sizeof(gid_t); >+ ngroups = get_ngroups(user, base); >+ groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid)); >+ groups_byname = xmalloc(ngroups * sizeof(*groups_byname)); >+ > if (getgrouplist(user, base, groups_bygid, &ngroups) == -1) > logit("getgrouplist: groups list too small"); > for (i = 0, j = 0; i < ngroups; i++) > if ((gr = getgrgid(groups_bygid[i])) != NULL) > groups_byname[j++] = xstrdup(gr->gr_name); >+ xfree(groups_bygid); > return (ngroups = j); > } > >@@ -84,5 +120,6 @@ > for (i = 0; i < ngroups; i++) > xfree(groups_byname[i]); > ngroups = 0; >+ xfree(groups_byname); > } > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=550">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 787
:
539
|
548
|
549
| 550 |
551