Fix memory unsafety in unistd::getgrouplist

Fixes #1541
nix-rust · Sep 29, 2021 · 94ccf88 · 94ccf88
1 parent de534c1
commit 94ccf88
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 This project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.20.2] - 28 September 2021
+### Added
+### Changed
+### Fixed
+
+- Fixed buffer overflow in `unistd::getgrouplist`.
+  (#[1545](https://github.com/nix-rust/nix/pull/1545))
+
 ## [0.20.1] - 13 August 2021
 ### Added
 ### Changed

diff --git a/src/unistd.rs b/src/unistd.rs
@@ -1514,8 +1514,7 @@ pub fn getgrouplist(user: &CStr, group: Gid) -> Result<Vec<Gid>> {
         Ok(None) | Err(_) => <c_int>::max_value(),
     };
     use std::cmp::min;
-    let mut ngroups = min(ngroups_max, 8);
-    let mut groups = Vec::<Gid>::with_capacity(ngroups as usize);
+    let mut groups = Vec::<Gid>::with_capacity(min(ngroups_max, 8) as usize);
     cfg_if! {
         if #[cfg(any(target_os = "ios", target_os = "macos"))] {
             type getgrouplist_group_t = c_int;
@@ -1525,6 +1524,7 @@ pub fn getgrouplist(user: &CStr, group: Gid) -> Result<Vec<Gid>> {
     }
     let gid: gid_t = group.into();
     loop {
+        let mut ngroups = groups.capacity() as i32;
         let ret = unsafe {
             libc::getgrouplist(user.as_ptr(),
                                gid as getgrouplist_group_t,