mountd: fix a crash when getgrouplist reports too many groups

Previously the code only warned about the condition and then happily proceeded to use the too large value resulting in the array out-of-bounds access. Obtained from: Panzura (Chuanbo Zheng) MFC after: 10 days Sponsored by: Panzura
2018-04-16 09:17:36 +00:00 · 2018-04-16 09:17:36 +00:00 · 020d6f96e3
commit 020d6f96e3
parent 746dddb134
1 changed files with 4 additions and 1 deletions
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@ -2915,8 +2915,11 @@ parsecred(char *namelist, struct xucred *cr)
 		}
 		cr->cr_uid = pw->pw_uid;
 		ngroups = XU_NGROUPS + 1;
-		if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups))
+		if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups)) {
 			syslog(LOG_ERR, "too many groups");
+			ngroups = XU_NGROUPS + 1;
+		}
+
 		/*
 		 * Compress out duplicate.
 		 */