Commit a2c47912 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] groups_alloc(0) clobbers memory past end of block

From: Olaf Kirch <okir@suse.de>

Authentication code in net/sunrpc makes frequent use of groups_alloc(0),
which seems to clobber memory past the end of what it allocated.

If called with gidsetsize == 0, groups_alloc will set nblocks = 0,
but still does a

	group_info->blocks[0] = group_info->small_block;
parent 52e802f6
...@@ -1125,8 +1125,7 @@ struct group_info *groups_alloc(int gidsetsize) ...@@ -1125,8 +1125,7 @@ struct group_info *groups_alloc(int gidsetsize)
int nblocks; int nblocks;
int i; int i;
nblocks = (gidsetsize/NGROUPS_PER_BLOCK) + nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;
(gidsetsize%NGROUPS_PER_BLOCK?1:0);
group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *),
GFP_USER); GFP_USER);
if (!group_info) if (!group_info)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment