On Mon, Feb 23, 2015 at 09:03:27PM +0300, Dan Carpenter wrote:
> On Mon, Feb 23, 2015 at 11:10:02AM -0600, Eric W. Biederman wrote:
> > Dan Carpenter writes:
> >
> > > This is called from rsc_parse() with a use controlled value. Say for
> > > example that "gidsetsize" is negative, then we could
Dan Carpenter writes:
> On Mon, Feb 23, 2015 at 11:10:02AM -0600, Eric W. Biederman wrote:
>> Dan Carpenter writes:
>>
>> > This is called from rsc_parse() with a use controlled value. Say for
>> > example that "gidsetsize" is negative, then we could end up allocating
>> > less than sizeof(str
On Mon, Feb 23, 2015 at 11:10:02AM -0600, Eric W. Biederman wrote:
> Dan Carpenter writes:
>
> > This is called from rsc_parse() with a use controlled value. Say for
> > example that "gidsetsize" is negative, then we could end up allocating
> > less than sizeof(struct group_info) leading to memo
Dan Carpenter writes:
> This is called from rsc_parse() with a use controlled value. Say for
> example that "gidsetsize" is negative, then we could end up allocating
> less than sizeof(struct group_info) leading to memory corruption.
Right now it is the responsibility of the caller of groups_al
This is called from rsc_parse() with a use controlled value. Say for
example that "gidsetsize" is negative, then we could end up allocating
less than sizeof(struct group_info) leading to memory corruption.
Signed-off-by: Dan Carpenter
---
I copied the NGROUPS_MAX limit from the surrounding code,
5 matches
Mail list logo
