Fix a bug where XU_NGROUPS + 1 groups might be copied.

r361780 fixed the code so that it would only remove the duplicate when
it actually existed. However, that might have resulted in XU_NGROUPS + 1
groups being copied, running off the end of the array. This patch fixes
the problem.

Spotted during code inspection for other mountd changes.

MFC after:	2 weeks
This commit is contained in:
Rick Macklem 2020-06-09 05:01:23 +00:00
parent 3e5fae34fc
commit 38b45b65cd

View File

@ -3481,6 +3481,8 @@ parsecred(char *namelist, struct xucred *cr)
cr->cr_groups[cnt - 1] = groups[cnt]; cr->cr_groups[cnt - 1] = groups[cnt];
} else { } else {
cr->cr_ngroups = ngroups; cr->cr_ngroups = ngroups;
if (cr->cr_ngroups > XU_NGROUPS)
cr->cr_ngroups = XU_NGROUPS;
for (cnt = 1; cnt < ngroups; cnt++) for (cnt = 1; cnt < ngroups; cnt++)
cr->cr_groups[cnt] = groups[cnt]; cr->cr_groups[cnt] = groups[cnt];
} }