From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: 0071-proc/readproc.c: Harden supgrps_from_supgids(). X-Git-Tag: v4.0.0~593 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ec0cb25af6604ea908a4ed425bae31d1fbd67e86;p=procps-ng 0071-proc/readproc.c: Harden supgrps_from_supgids(). 1/ Prevent an integer overflow of t. 2/ Avoid an infinite loop if s contains characters other than comma, spaces, +, -, and digits. 3/ Handle all possible return values of snprintf(). ---------------------------- adapted for newlib branch . we can't use xrealloc(), so we use realloc() instead . and must account for a mem failure via a return of 1 Signed-off-by: Jim Warner --- diff --git a/proc/readproc.c b/proc/readproc.c index a53f0775..ca5b16f4 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -478,11 +478,25 @@ static int supgrps_from_supgids (proc_t *p) { s = p->supgid; t = 0; do { - if (',' == *s) ++s; - g = pwcache_get_group((uid_t)strtol(s, &s, 10)); - if (!(p->supgrp = realloc(p->supgrp, P_G_SZ+t+2))) + const int max = P_G_SZ+2; + char *end = NULL; + gid_t gid; + int len; + + while (',' == *s) ++s; + gid = strtol(s, &end, 10); + if (end <= s) break; + s = end; + g = pwcache_get_group(gid); + + if ((t >= INT_MAX - max) + || (!(p->supgrp = realloc(p->supgrp, t + max)))) return 1; - t += snprintf(p->supgrp+t, P_G_SZ+2, "%s%s", t ? "," : "", g); + + len = snprintf(p->supgrp+t, max, "%s%s", t ? "," : "", g); + if (len <= 0) (p->supgrp+t)[len = 0] = '\0'; + else if (len >= max) len = max-1; + t += len; } while (*s); return 0;