2005-12-15 Aubrey.Li <aubreylee@gmail.com> writes:

When I mounted nfs on my target, the kernel crashed. And I found it
was caused by stack overflow. When I digged into it. I found the
following issue.

In the file "./uClibc/libc/inet/rpc/auth_unix.c"
 int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
 gid_t gids[max_nr_groups];

And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h"
#define NGROUPS_MAX       65536    /* supplemental group IDs are available */

OK, here we can know max_nr_groups is assigned to 65536, that means a
huge matrix "gids[65536] is in the function **authunix_create_default**.

My method is doing it by malloc, the patch as follows.

libc/inet/rpc/auth_unix.c

@@ -183,7 +183,12 @@ __authunix_create_default (void)
   uid_t uid;
   gid_t gid;
   int max_nr_groups = sysconf (_SC_NGROUPS_MAX);
-  gid_t gids[max_nr_groups];
+  gid_t *gids;
+  AUTH *ret_auth;
+
+  gids = (gid_t*)malloc(sizeof(*gids) * max_nr_groups);
+  if (gids == NULL)
+    abort ();
 
   if (gethostname (machname, MAX_MACHINE_NAME) == -1)
     abort ();
@@ -196,7 +201,9 @@ __authunix_create_default (void)
   /* This braindamaged Sun code forces us here to truncate the
      list of groups to NGRPS members since the code in
      authuxprot.c transforms a fixed array.  Grrr.  */
-  return __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  ret_auth = __authunix_create (machname, uid, gid, MIN (NGRPS, len), gids);
+  free (gids);
+  return ret_auth;
 }
 strong_alias(__authunix_create_default,authunix_create_default)