From 766709000aca35c4851cdb9b84e78db52ed8290d Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Tue, 27 Dec 2005 09:03:53 +0000 Subject: 2005-12-15 Aubrey.Li writes: When I mounted nfs on my target, the kernel crashed. And I found it was caused by stack overflow. When I digged into it. I found the following issue. In the file "./uClibc/libc/inet/rpc/auth_unix.c" int max_nr_groups = sysconf (_SC_NGROUPS_MAX); gid_t gids[max_nr_groups]; And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h" #define NGROUPS_MAX 65536 /* supplemental group IDs are available */ OK, here we can know max_nr_groups is assigned to 65536, that means a huge matrix "gids[65536] is in the function **authunix_create_default**. My method is doing it by malloc, the patch as follows. --- libc/inet/rpc/auth_unix.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'libc/inet') diff --git a/libc/inet/rpc/auth_unix.c b/libc/inet/rpc/auth_unix.c index 65554147d..3cb286cc4 100644 --- a/libc/inet/rpc/auth_unix.c +++ b/libc/inet/rpc/auth_unix.c @@ -183,7 +183,12 @@ __authunix_create_default (void) uid_t uid; gid_t gid; int max_nr_groups = sysconf (_SC_NGROUPS_MAX); - gid_t gids[max_nr_groups]; + gid_t *gids; + AUTH *ret_auth; + + gids = (gid_t*)malloc(sizeof(*gids) * max_nr_groups); + if (gids == NULL) + abort (); if (gethostname (machname, MAX_MACHINE_NAME) == -1) abort (); @@ -196,7 +201,9 @@ __authunix_create_default (void) /* This braindamaged Sun code forces us here to truncate the list of groups to NGRPS members since the code in authuxprot.c transforms a fixed array. Grrr. */ - return __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids); + ret_auth = __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids); + free (gids); + return ret_auth; } strong_alias(__authunix_create_default,authunix_create_default) -- cgit v1.2.3