summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2019-07-09 12:23:26 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2019-07-09 12:23:26 +0000
commitdef1f285c1a552de2fac89226dcdd2dfda0923de (patch)
tree0ac39aa87583722ad54d125589efd42d24280355
parent9a1da5a1ec2ac6f3861c7e3353fb568e4086639d (diff)
The system calls getgroups(2) and setgroups(2) pass the number of
groups as signed int. Do not use unsigned int within the kernel for length calculations. Now getgroups(2) fails with EINVAL if called with negative length value. from Moritz Buhl; OK millert@
-rw-r--r--sys/kern/kern_prot.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 72297db4f8d..67c6c1020d5 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_prot.c,v 1.75 2018/06/22 13:33:30 visa Exp $ */
+/* $OpenBSD: kern_prot.c,v 1.76 2019/07/09 12:23:25 bluhm Exp $ */
/* $NetBSD: kern_prot.c,v 1.33 1996/02/09 18:59:42 christos Exp $ */
/*
@@ -196,7 +196,7 @@ sys_getgroups(struct proc *p, void *v, register_t *retval)
syscallarg(gid_t *) gidset;
} */ *uap = v;
struct ucred *uc = p->p_ucred;
- u_int ngrp;
+ int ngrp;
int error;
if ((ngrp = SCARG(uap, gidsetsize)) == 0) {
@@ -870,13 +870,13 @@ sys_setgroups(struct proc *p, void *v, register_t *retval)
struct process *pr = p->p_p;
struct ucred *pruc, *newcred;
gid_t groups[NGROUPS_MAX];
- u_int ngrp;
+ int ngrp;
int error;
if ((error = suser(p)) != 0)
return (error);
ngrp = SCARG(uap, gidsetsize);
- if (ngrp > NGROUPS_MAX)
+ if (ngrp > NGROUPS_MAX || ngrp < 0)
return (EINVAL);
error = copyin(SCARG(uap, gidset), groups, ngrp * sizeof(gid_t));
if (error == 0) {