From 38b45b65cdaac3cf3b531aecb77fd5d8085a2911 Mon Sep 17 00:00:00 2001 From: Rick Macklem Date: Tue, 9 Jun 2020 05:01:23 +0000 Subject: [PATCH] Fix a bug where XU_NGROUPS + 1 groups might be copied. r361780 fixed the code so that it would only remove the duplicate when it actually existed. However, that might have resulted in XU_NGROUPS + 1 groups being copied, running off the end of the array. This patch fixes the problem. Spotted during code inspection for other mountd changes. MFC after: 2 weeks --- usr.sbin/mountd/mountd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c index a6450513d9c0..e283a8e1aad3 100644 --- a/usr.sbin/mountd/mountd.c +++ b/usr.sbin/mountd/mountd.c @@ -3481,6 +3481,8 @@ parsecred(char *namelist, struct xucred *cr) cr->cr_groups[cnt - 1] = groups[cnt]; } else { cr->cr_ngroups = ngroups; + if (cr->cr_ngroups > XU_NGROUPS) + cr->cr_ngroups = XU_NGROUPS; for (cnt = 1; cnt < ngroups; cnt++) cr->cr_groups[cnt] = groups[cnt]; }