Prevent set_threadgroups() failure

Neither uid nor gid should be -1. If a client sends such a value, setfsuid, setfsuid or __NR_setgroups may fail. Check for invalid uid/gid and return a failure in such a case.
linuxbox2 · Aug 27, 2020 · 2ff5a1b · 2ff5a1b
1 parent dadc0cd
commit 2ff5a1b
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/svc_auth_unix.c b/src/svc_auth_unix.c
@@ -93,14 +93,19 @@ _svcauth_unix(struct svc_req *req)
 		aup->aup_uid = (int)IXDR_GET_INT32(buf);
 		aup->aup_gid = (int)IXDR_GET_INT32(buf);
 		gid_len = (size_t) IXDR_GET_U_INT32(buf);
-		if (gid_len > NGRPS) {
+		if (gid_len > NGRPS || aup->aup_uid == (uid_t)-1 ||
+				aup->aup_gid == (gid_t)-1) {
 			stat = AUTH_BADCRED;
 			goto done;
 		}
 		aup->aup_len = gid_len;
 		for (i = 0; i < gid_len; i++) {
 			/* suppress block warning */
 			aup->aup_gids[i] = (int)IXDR_GET_INT32(buf);
+			if (aup->aup_gids[i] == (gid_t)-1) {
+				stat = AUTH_BADCRED;
+				goto done;
+			}
 		}
 		/*
 		 * five is the smallest unix credentials structure -