[PATCH] Fix potential use after free in uidswap.c (portable)
Darren Tucker
dtucker at zip.com.au
Mon Jun 22 11:36:45 AEST 2015
On Sun, Jun 21, 2015 at 12:31 AM, Albert S. <mail at quitesimple.org> wrote:
> Fixes a potential (but probably rather unlikely) use after free bug in
> function temporarily_use_uid(), file uidswap.c.
>
Does seem unlikely (with zero entries there's no reason for it to deref the
pointer), however reading the man pages it seems like there's no guarantee
that it won't, so seems reasonable to me. Damien?
> --- a/uidswap.c
> +++ b/uidswap.c
> @@ -113,8 +113,9 @@ temporarily_use_uid(struct passwd *pw)
> }
> }
> /* Set the effective uid to the given (unprivileged) uid. */
> - if (setgroups(user_groupslen, user_groups) < 0)
> - fatal("setgroups: %.100s", strerror(errno));
> + if (user_groupslen > 0 &&
> + (setgroups(user_groupslen, user_groups)) < 0)
> + fatal("setgroups: %.100s", strerror(errno));
>
> Best regards,
> Albert
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list