diff options
| author | Andrew Morton <akpm@osdl.org> | 2004-05-14 20:26:11 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-05-14 20:26:11 -0700 |
| commit | a2c4791239dabcebcefbfa2c48a30186bd8bea31 (patch) | |
| tree | a8fbd1bdf847be301a1e6f021527241691515c4a /kernel | |
| parent | 52e802f6e70ec2eb746404cc37a56e79b834ed6b (diff) | |
| download | history-a2c4791239dabcebcefbfa2c48a30186bd8bea31.tar.gz | |
[PATCH] groups_alloc(0) clobbers memory past end of block
From: Olaf Kirch <okir@suse.de>
Authentication code in net/sunrpc makes frequent use of groups_alloc(0),
which seems to clobber memory past the end of what it allocated.
If called with gidsetsize == 0, groups_alloc will set nblocks = 0,
but still does a
group_info->blocks[0] = group_info->small_block;
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/sys.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/kernel/sys.c b/kernel/sys.c index 6c700952637c0a..f1592864a826a9 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1125,8 +1125,7 @@ struct group_info *groups_alloc(int gidsetsize) int nblocks; int i; - nblocks = (gidsetsize/NGROUPS_PER_BLOCK) + - (gidsetsize%NGROUPS_PER_BLOCK?1:0); + nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK; group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), GFP_USER); if (!group_info) |