git: 5fe22e3d09bd - stable/14 - nfsuserd: Fix OOB access on membership of too many groups

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Fri, 10 Oct 2025 17:16:40 UTC
The branch stable/14 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=5fe22e3d09bd9e1f00913445bcf48a49ae0a1c6b

commit 5fe22e3d09bd9e1f00913445bcf48a49ae0a1c6b
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-10-09 09:19:37 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-10-10 17:16:02 +0000

    nfsuserd: Fix OOB access on membership of too many groups
    
    getgrouplist() sets the variable containing the allocated length in
    input to the full effective group list length, not the number of slots
    that were actually filled in case the passed array is too small to
    contain it.
    
    While here, on this condition, improve the error message by outputting
    the corresponding user name.
    
    MFC after:      1 hour
    Fixes:          e6c623c86ab4 ("Add support for the "-manage-gids" option to the nfsuserd daemon.")
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit bb339adfb2a26c5bb71cd4275dff80f615534ab6)
---
 usr.sbin/nfsuserd/nfsuserd.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/nfsuserd/nfsuserd.c b/usr.sbin/nfsuserd/nfsuserd.c
index 08e8c3c5e6a2..9df50e27efd1 100644
--- a/usr.sbin/nfsuserd/nfsuserd.c
+++ b/usr.sbin/nfsuserd/nfsuserd.c
@@ -422,8 +422,12 @@ main(int argc, char *argv[])
 			/* Get the group list for this user. */
 			ngroup = NGROUPS;
 			if (getgrouplist(pwd->pw_name, pwd->pw_gid, grps,
-			    &ngroup) < 0)
-				syslog(LOG_ERR, "Group list too small");
+			    &ngroup) < 0) {
+				syslog(LOG_ERR,
+				    "Group list of user '%s' too big",
+				    pwd->pw_name);
+				ngroup = NGROUPS;
+			}
 			nid.nid_ngroup = ngroup;
 			nid.nid_grps = grps;
 		} else {
@@ -622,8 +626,11 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXPRT *transp)
 				/* Get the group list for this user. */
 				ngroup = NGROUPS;
 				if (getgrouplist(pwd->pw_name, pwd->pw_gid,
-				    grps, &ngroup) < 0)
-					syslog(LOG_ERR, "Group list too small");
+				    grps, &ngroup) < 0) {
+					syslog(LOG_ERR,
+					    "Group list of user '%s' too big",
+					    pwd->pw_name);
+				}
 				nid.nid_ngroup = ngroup;
 				nid.nid_grps = grps;
 			} else {