| Age | Commit message (Collapse) | Author |
|---|
|
First, we should never check the size of __s if __l == 0 since the
array is not going to be modified in that case.
Second, negative __l is a well-defined error case (EINVAL) and we
should never trap on a conforming code like this:
r = getgroups(-1, NULL);
if (r == -1)
...
An example of non-desired behaviour for negative __l is the gnulib
configure script which checks for getgroups(-1, ...) to catch some
ancient FreeBSD kernel bug. The conftest binary traps even on good
system (e.g. linux/musl) and the unnecessary getgroups wrapper is
enforced for any project that uses gnulib.
This patch also changes the size_t cast to avoid the explicit zero
extension on systems where size_t differs from unsigned int.
|
|
A few important notes:
* __extension__ is a GNU C "alternate" keyword, not a C++ keyword.[1]
* __extension__ is designed to work on "expressions"; it does work on
#include_next in C mode, but it has no effect in C++ mode; the
warning will still appear, if enabled, even with __extension__
preceding #include_next. This is because #include_next is not
considered an expression in C++, so the compiler attaches
__extension__ to the first expression of the header.
All of this leads us to a build failure while building at least all
Mozilla software. Moz has an alternate -isystem dir searched before
/usr/include that overrides some headers, including <features.h>. The
first statement in each of these headers is a #pragma, and since
__extension__ is looking for an expression, and #pragma is a "null"
expression, we end up with the following error:
dist/system_wrappers/features.h:1:9: error: '#pragma' is not allowed here
Since __extension__ has no effect on #include_next in C++ mode anyway,
and since it can cause breakage, this commit omits __extension__ in C++
mode.
[1]: https://gcc.gnu.org/onlinedocs/gcc-6.4.0/gcc/Alternate-Keywords.html
|
|
|
|
Do not crash unless the overflow would actually happen.
|
|
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Overriding functions with macros is legal in C but a lot of software
is not prepared for it. Use the extern inline method to achieve the
same result.
|
|
fortify-headers is considered part of the implementation.
|
|
It is not legal to override standard functions using macros in C++.
We may have to revisit this in the future.
|
|
|
|
We can never have an array of more than SIZE_MAX/2/sizeof(gid_t)
gid_t's.
|
|
|
|
|
|
Since getgroups() will never write more than NGROUPS_MAX entries
we might as well cap len to that value.
The following should probably not trap the program:
gid_t set[NGROUPS_MAX];
getgroups(NGROUPS_MAX + 1, set);
|
|
|
|
|
|
|
|
These can produce false positives. Given that we support fortify
source level 1 we shouldn't break valid code.
|
|
|
|
|
|
|
|
|
|
Thanks zhasha for spotting this.
|
|
|
|
|
|
|
|
|
|
|
