glibc 2.2.5 and 2.3.2 getgrouplist broken?

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jun 27 15:47:17 GMT 2003


I've just tried to chase down a segfault in Samba. The Realloc in
auth_util.c:670 segfaulted for a customer of mine on a glibc system. The
problem is that he had a user with 39 groups in /etc/group imported via
winbind. Ok, this is too much, but at least we should not segfault.

But it's not samba's fault: It's the libc's getgrouplist function. The
following is the code from the debian libc6 2.2.5 source package for

/* Store at most *NGROUPS members of the group set for USER into
   *GROUPS.  Also include GROUP.  The actual number of groups found is
   returned in *NGROUPS.  Return -1 if the if *NGROUPS is too small.  */
getgrouplist (const char *user, gid_t group, gid_t *groups, int *ngroups)
  gid_t *newgroups;
  long int size = *ngroups;
  int result;

  newgroups = (gid_t *) malloc (size * sizeof (gid_t));
  if (__builtin_expect (newgroups == NULL, 0))
    /* No more memory.  */
    return -1;

  result = internal_getgrouplist (user, group, &size, &newgroups, -1);
  if (result > *ngroups)
      *ngroups = result;
      result = -1;
    *ngroups = result;
  memcpy (groups, newgroups, *ngroups * sizeof (gid_t));

  free (newgroups);
  return result;

The memcpy simply assumes to have room in the "groups" array for
anything that it finds in /etc/group. We allocate NGROUPS_MAX for the
array and hand that to libc which then happily overwrites past the end
of the array.

To me this does not really look usable. BTW, the code in glibc-2.3.2
looks exactly the same.

So what do you think about never using that crap?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the samba-technical mailing list