0071-proc/readproc.c: Harden supgrps_from_supgids().
1/ Prevent an integer overflow of t. 2/ Avoid an infinite loop if s contains characters other than comma, spaces, +, -, and digits. 3/ Handle all possible return values of snprintf(). ---------------------------- adapted for newlib branch . we can't use xrealloc(), so we use realloc() instead . and must account for a mem failure via a return of 1 Signed-off-by: Jim Warner <james.warner@comcast.net>
This commit is contained in:
Qualys Security Advisory
-
committed by
Craig Small
parent
807498f899
commit
ec0cb25af6
@ -478,11 +478,25 @@ static int supgrps_from_supgids (proc_t *p) {
|
|||||||
s = p->supgid;
|
s = p->supgid;
|
||||||
t = 0;
|
t = 0;
|
||||||
do {
|
do {
|
||||||
if (',' == *s) ++s;
|
const int max = P_G_SZ+2;
|
||||||
g = pwcache_get_group((uid_t)strtol(s, &s, 10));
|
char *end = NULL;
|
||||||
if (!(p->supgrp = realloc(p->supgrp, P_G_SZ+t+2)))
|
gid_t gid;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
while (',' == *s) ++s;
|
||||||
|
gid = strtol(s, &end, 10);
|
||||||
|
if (end <= s) break;
|
||||||
|
s = end;
|
||||||
|
g = pwcache_get_group(gid);
|
||||||
|
|
||||||
|
if ((t >= INT_MAX - max)
|
||||||
|
|| (!(p->supgrp = realloc(p->supgrp, t + max))))
|
||||||
return 1;
|
return 1;
|
||||||
t += snprintf(p->supgrp+t, P_G_SZ+2, "%s%s", t ? "," : "", g);
|
|
||||||
|
len = snprintf(p->supgrp+t, max, "%s%s", t ? "," : "", g);
|
||||||
|
if (len <= 0) (p->supgrp+t)[len = 0] = '\0';
|
||||||
|
else if (len >= max) len = max-1;
|
||||||
|
t += len;
|
||||||
} while (*s);
|
} while (*s);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user