git: ef40e02a8d78 - stable/15 - nfsuserd: Fix OOB access on membership of too many groups

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Thu, 09 Oct 2025 20:41:24 UTC
The branch stable/15 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=ef40e02a8d788f1e96f4f89c0b96fb50a4aad8e7

commit ef40e02a8d788f1e96f4f89c0b96fb50a4aad8e7
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-10-09 09:19:37 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-10-09 20:40:43 +0000

    nfsuserd: Fix OOB access on membership of too many groups
    
    getgrouplist() sets the variable containing the allocated length in
    input to the full effective group list length, not the number of slots
    that were actually filled in case the passed array is too small to
    contain it.
    
    While here, on this condition, improve the error message by outputting
    the corresponding user name.
    
    MFC after:      1 hour
    Fixes:          e6c623c86ab4 ("Add support for the "-manage-gids" option to the nfsuserd daemon.")
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit bb339adfb2a26c5bb71cd4275dff80f615534ab6)
---
 usr.sbin/nfsuserd/nfsuserd.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/nfsuserd/nfsuserd.c b/usr.sbin/nfsuserd/nfsuserd.c
index 29d816934600..0e5c9c8f1e50 100644
--- a/usr.sbin/nfsuserd/nfsuserd.c
+++ b/usr.sbin/nfsuserd/nfsuserd.c
@@ -421,8 +421,12 @@ main(int argc, char *argv[])
 			/* Get the group list for this user. */
 			ngroup = NGROUPS;
 			if (getgrouplist(pwd->pw_name, pwd->pw_gid, grps,
-			    &ngroup) < 0)
-				syslog(LOG_ERR, "Group list too small");
+			    &ngroup) < 0) {
+				syslog(LOG_ERR,
+				    "Group list of user '%s' too big",
+				    pwd->pw_name);
+				ngroup = NGROUPS;
+			}
 			nid.nid_ngroup = ngroup;
 			nid.nid_grps = grps;
 		} else {
@@ -621,8 +625,11 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXPRT *transp)
 				/* Get the group list for this user. */
 				ngroup = NGROUPS;
 				if (getgrouplist(pwd->pw_name, pwd->pw_gid,
-				    grps, &ngroup) < 0)
-					syslog(LOG_ERR, "Group list too small");
+				    grps, &ngroup) < 0) {
+					syslog(LOG_ERR,
+					    "Group list of user '%s' too big",
+					    pwd->pw_name);
+				}
 				nid.nid_ngroup = ngroup;
 				nid.nid_grps = grps;
 			} else {