proc/readproc.c: Harden supgrps_from_supgids().

1/ Prevent an integer overflow of t.

2/ Avoid an infinite loop if s contains characters other than comma,
spaces, +, -, and digits.

3/ Handle all possible return values of snprintf().
This commit is contained in:
Qualys Security Advisory - committed by Craig Small
parent 6fb2bbaa0d
commit 20269a4129

View File

@ -464,10 +464,24 @@ static void supgrps_from_supgids (proc_t *p) {
s = p->supgid; s = p->supgid;
t = 0; t = 0;
do { do {
if (',' == *s) ++s; const int max = P_G_SZ+2;
g = pwcache_get_group((uid_t)strtol(s, &s, 10)); char *end = NULL;
p->supgrp = xrealloc(p->supgrp, P_G_SZ+t+2); gid_t gid;
t += snprintf(p->supgrp+t, P_G_SZ+2, "%s%s", t ? "," : "", g); int len;
while (',' == *s) ++s;
gid = strtol(s, &end, 10);
if (end <= s) break;
s = end;
g = pwcache_get_group(gid);
if (t >= INT_MAX - max) break;
p->supgrp = xrealloc(p->supgrp, t + max);
len = snprintf(p->supgrp+t, max, "%s%s", t ? "," : "", g);
if (len <= 0) (p->supgrp+t)[len = 0] = '\0';
else if (len >= max) len = max-1;
t += len;
} while (*s); } while (*s);
} }