Hello there!
Another problem with code was found on parsing AllowGroups parameter.
In case this parameter was activated and partition gets number of uids
even to 100 function memcpy will overread the allocated memory as it will
try to read 101 uid_t while only 100 was allocated ATM and also allocated
array isn't terminated with zero so that will end with undefined behavior
immediately or later. See fix in attached patch.
With best wishes.
Andriy.diff -udpr slurm-2.2.6/src/slurmctld/groups.c slurm-2.2.6.groupsfix/src/slurmctld/groups.c
--- slurm-2.2.6/src/slurmctld/groups.c 2011-05-27 21:25:06.000000000 +0300
+++ slurm-2.2.6.groupsfix/src/slurmctld/groups.c 2011-07-02 12:03:46.000000000 +0300
@@ -147,7 +147,7 @@ extern uid_t *get_group_members(char *gr
}
if (my_uid == 0)
continue;
- if (j >= uid_cnt) {
+ if (j+1 >= uid_cnt) {
uid_cnt += 100;
xrealloc(group_uids,
(sizeof(uid_t) * uid_cnt));
@@ -174,7 +174,7 @@ extern uid_t *get_group_members(char *gr
#endif
if (pwd_result->pw_gid != my_gid)
continue;
- if (j >= uid_cnt) {
+ if (j+1 >= uid_cnt) {
uid_cnt += 100;
xrealloc(group_uids, (sizeof(uid_t) * uid_cnt));
}
@@ -186,7 +186,7 @@ extern uid_t *get_group_members(char *gr
endpwent();
#endif
- _put_group_cache(group_name, group_uids, uid_cnt);
+ _put_group_cache(group_name, group_uids, j);
_log_group_members(group_name, group_uids);
return group_uids;
}
@@ -257,11 +257,11 @@ static void _put_group_cache(char *group
fatal("list_create: malloc failure:");
}
- sz = sizeof(uid_t) * (uid_cnt + 1);
+ sz = sizeof(uid_t) * (uid_cnt);
cache_rec = xmalloc(sizeof(struct group_cache_rec));
cache_rec->group_name = xstrdup(group_name);
cache_rec->uid_cnt = uid_cnt;
- cache_rec->group_uids = (uid_t *) xmalloc(sz);
+ cache_rec->group_uids = (uid_t *) xmalloc(sizeof(uid_t) + sz);
if (uid_cnt > 0)
memcpy(cache_rec->group_uids, group_uids, sz);
list_append(group_cache_list, cache_rec);
