[PATCH] NGROUPS_MAX will cause stack overflow
Aubrey
aubreylee at gmail.com
Thu Dec 15 06:07:02 UTC 2005
Hi all,
When I mounted nfs on my target, the kernel crashed. And I found it
was caused by stack overflow. When I digged into it. I found the
following issue.
In the file "./uClibc/libc/inet/rpc/auth_unix.c"
AUTH * authunix_create_default (void)
{
- - - snip - - -
int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
gid_t gids[max_nr_groups];
- - - snip - - -
}
**sysconf** is defined in the file "./uClibc/libc/unistd/sysconf.c"
long int __sysconf(int name)
{
- - - snip - - -
switch (name)
{
- - - snip - - -
case _SC_NGROUPS_MAX:
#ifdef NGROUPS_MAX
return NGROUPS_MAX;
#else
RETURN_NEG_1;
#endif
- - - snip - - -
}
And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h"
#define NGROUPS_MAX 65536 /* supplemental group IDs are available */
OK, here we can know max_nr_groups is assigned to 65536, that means a
huge matrix "gids[65536] is in the function **authunix_create_default**.
My method is doing it by malloc, the patch as follows:
2005-12-15 Aubrey.Li <aubreylee at gmail.com>
* libc/inet/rpc/auth_unix.c: using malloc to alloc
memory for gids.
Index: libc/inet/rpc/auth_unix.c
==========================================================
--- auth_unix.c 2005-12-15 12:35:25.000000000 +0800
+++ auth_unix.c 2005-12-15 12:35:00.000000000 +0800
@@ -171,7 +171,11 @@
uid_t uid;
gid_t gid;
int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
- gid_t gids[max_nr_groups];
+ gid_t *gids;
+ AUTH *auth;
+
+ if(gids=(gid_t *)malloc(sizeof(gid_t)*max_nr_groups) == NULL)
+ return NULL;
if (gethostname (machname, MAX_MACHINE_NAME) == -1)
abort ();
@@ -184,7 +188,9 @@
/* This braindamaged Sun code forces us here to truncate the
list of groups to NGRPS members since the code in
authuxprot.c transforms a fixed array. Grrr. */
- return authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+ auth = authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+ free(gids);
+ return auth;
}
/*
Thanks,
Aubrey
More information about the uClibc
mailing list