Page MenuHomeFreeBSD
Differential D52960

sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode
Needs ReviewPublic
Actions

Authored by olce on Tue, Oct 7, 5:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 10, 5:32 PM
Unknown Object (File)
Fri, Oct 10, 5:32 PM
Unknown Object (File)
Fri, Oct 10, 12:23 PM
Unknown Object (File)
Fri, Oct 10, 8:28 AM
Unknown Object (File)
Wed, Oct 8, 12:02 PM
Unknown Object (File)
Wed, Oct 8, 6:25 AM
Unknown Object (File)
Wed, Oct 8, 6:07 AM
Unknown Object (File)
Wed, Oct 8, 6:06 AM
View All 9 Files
Subscribers
emaste
imp

Details

Reviewers
rmacklem
dfr
Summary

When the received authentication message had more than XU_NGROUPS, we
would write group IDs beyond the end of cr_groups[] in the 'struct
xucred' being filled (as 'ngroups_max' is always greater than
XU_NGROUPS).

For robustness, prevent various OOB accesses that would result from
changes of values of XU_NGROUPS and AUTH_SYS_MAX_GROUPS or a 'struct
xucred' with an invalid 'cr_ngroups' field, even if these cases are
unlikely.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 67618
Build 64501: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
rpc/
42 lines

Diff 163711

View Options

sys/rpc/authunix_prot.c

Loading...