diff --git a/sys/kern/subr_param.c b/sys/kern/subr_param.c --- a/sys/kern/subr_param.c +++ b/sys/kern/subr_param.c @@ -228,14 +228,32 @@ TUNABLE_ULONG_FETCH("kern.sgrowsiz", &sgrowsiz); /* - * Let the administrator set {NGROUPS_MAX}, but disallow values - * less than NGROUPS_MAX which would violate POSIX.1-2008 or - * greater than INT_MAX-1 which would result in overflow. + * Let the administrator set {NGROUPS_MAX}. + * + * Values less than NGROUPS_MAX would violate POSIX/SuS (see the + * specification for , paragraph "Runtime Increasable + * Values"). + * + * On the other hand, INT_MAX would result in an overflow for the common + * 'ngroups_max + 1' computation (to obtain the size of the internal + * groups array, its first element being reserved for the effective + * GID). Also, the number of allocated bytes for the group array must + * not overflow on 32-bit machines. For all these reasons, we limit the + * number of supplementary groups to some very high number that we + * expect will never be reached in all practical uses and ensures we + * avoid the problems just exposed, even if 'gid_t' was to be enlarged + * by a magnitude. */ ngroups_max = NGROUPS_MAX; TUNABLE_INT_FETCH("kern.ngroups", &ngroups_max); if (ngroups_max < NGROUPS_MAX) ngroups_max = NGROUPS_MAX; + else { + const int ngroups_max_max = (1 << 24) - 1; + + if (ngroups_max > ngroups_max_max) + ngroups_max = ngroups_max_max; + } /* * Only allow to lower the maximal pid.