svn commit: trunk/uClibc/libc/inet/rpc

[vapier at uclibc.org]

Author: vapier
Date: 2005-12-27 01:03:53 -0800 (Tue, 27 Dec 2005)
New Revision: 12983

Log:
2005-12-15 Aubrey.Li <aubreylee at gmail.com> writes:
When I mounted nfs on my target, the kernel crashed. And I found it
was caused by stack overflow. When I digged into it. I found the
following issue.

In the file "./uClibc/libc/inet/rpc/auth_unix.c"
 int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
 gid_t gids[max_nr_groups];

And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h"
#define NGROUPS_MAX       65536    /* supplemental group IDs are available */

OK, here we can know max_nr_groups is assigned to 65536, that means a
huge matrix "gids[65536] is in the function **authunix_create_default**.

My method is doing it by malloc, the patch as follows.


Modified:
   trunk/uClibc/libc/inet/rpc/auth_unix.c


Changeset:
Modified: trunk/uClibc/libc/inet/rpc/auth_unix.c
===================================================================
--- trunk/uClibc/libc/inet/rpc/auth_unix.c	2005-12-27 09:00:18 UTC (rev 12982)
+++ trunk/uClibc/libc/inet/rpc/auth_unix.c	2005-12-27 09:03:53 UTC (rev 12983)
@@ -183,8 +183,13 @@
   uid_t uid;
   gid_t gid;
   int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
-  gid_t gids[max_nr_groups];
+  gid_t *gids;
+  AUTH *ret_auth;
 
+  gids = (gid_t*)malloc(sizeof(*gids) * max_nr_groups);
+  if (gids == NULL)
+    abort ();
+
   if (gethostname (machname, MAX_MACHINE_NAME) == -1)
     abort ();
   machname[MAX_MACHINE_NAME] = 0;
@@ -196,7 +201,9 @@
   /* This braindamaged Sun code forces us here to truncate the
      list of groups to NGRPS members since the code in
      authuxprot.c transforms a fixed array.  Grrr.  */
-  return __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  ret_auth = __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  free (gids);
+  return ret_auth;
 }
 strong_alias(__authunix_create_default,authunix_create_default)