The example code does not validate the supplied ngroup argument.
On 32 bit systems this code can lead to heap overflows within
getgrouplist call.
Verify that ngroups really contains the amount of entries for
which memory has been allocated.
While at it fixed a small typo ("to" was missing).
Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
man3/getgrouplist.3 | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/man3/getgrouplist.3 b/man3/getgrouplist.3
index 1fe260b..da36cc7 100644
--- a/man3/getgrouplist.3
+++ b/man3/getgrouplist.3
@@ -97,7 +97,7 @@ groups, then
returns \-1.
In this case, the value returned in
.IR *ngroups
-can be used to resize the buffer passed to a further call
+can be used to resize the buffer passed to a further call to
.BR getgrouplist ().
.SH VERSIONS
This function is present since glibc 2.2.4.
@@ -152,6 +152,7 @@ ngroups = 3
.SS Program source
\&
.EX
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <grp.h>
@@ -163,6 +164,7 @@ main(int argc, char *argv[])
int ngroups;
struct passwd *pw;
struct group *gr;
+ gid_t *groups;
if (argc != 3) {
fprintf(stderr, "Usage: %s <user> <ngroups>\en", argv[0]);
@@ -171,7 +173,12 @@ main(int argc, char *argv[])
ngroups = atoi(argv[2]);
- gid_t *groups = malloc(sizeof(*groups) * ngroups);
+ if (ngroups < 0 || (size_t)ngroups > SIZE_MAX / sizeof(*groups)) {
+ fprintf(stderr, "ngroups invalid\en");
+ exit(EXIT_FAILURE);
+ }
+
+ groups = malloc(sizeof(*groups) * ngroups);
if (groups == NULL) {
perror("malloc");
exit(EXIT_FAILURE);
--
2.33.1
