[PATCH] NGROUPS_MAX will cause stack overflow

Aubrey aubreylee at gmail.com
Thu Dec 15 06:07:02 UTC 2005 

Hi all,

When I mounted nfs on my target, the kernel crashed. And I found it
was caused by stack overflow. When I digged into it. I found the
following issue.

In the file "./uClibc/libc/inet/rpc/auth_unix.c"
AUTH * authunix_create_default (void)
{
- - - snip - - -
 int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
 gid_t gids[max_nr_groups];
- - - snip - - -
}

**sysconf** is defined in the file "./uClibc/libc/unistd/sysconf.c"
long int __sysconf(int name)
{
- - - snip - - -
 switch (name)
   {
- - - snip - - -
   case _SC_NGROUPS_MAX:
#ifdef  NGROUPS_MAX
     return NGROUPS_MAX;
#else
     RETURN_NEG_1;
#endif
- - - snip - - -
}

And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h"
#define NGROUPS_MAX       65536    /* supplemental group IDs are available */

OK, here we can know max_nr_groups is assigned to 65536, that means a
huge matrix "gids[65536] is in the function **authunix_create_default**.

My method is doing it by malloc, the patch as follows:

2005-12-15 Aubrey.Li <aubreylee at gmail.com>
              * libc/inet/rpc/auth_unix.c: using malloc to alloc
memory for gids.
Index: libc/inet/rpc/auth_unix.c
==========================================================
--- auth_unix.c	2005-12-15 12:35:25.000000000 +0800
+++ auth_unix.c	2005-12-15 12:35:00.000000000 +0800
@@ -171,7 +171,11 @@
   uid_t uid;
   gid_t gid;
   int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
-  gid_t gids[max_nr_groups];
+  gid_t *gids;
+  AUTH *auth;
+
+  if(gids=(gid_t *)malloc(sizeof(gid_t)*max_nr_groups) == NULL)
+	return NULL;

   if (gethostname (machname, MAX_MACHINE_NAME) == -1)
     abort ();
@@ -184,7 +188,9 @@
   /* This braindamaged Sun code forces us here to truncate the
      list of groups to NGRPS members since the code in
      authuxprot.c transforms a fixed array.  Grrr.  */
-  return authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  auth = authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  free(gids);
+  return auth;
 }

 /*


Thanks,
Aubrey

More information about the uClibc mailing list