Browse Source

lib/privs: Remove of CAP_NET_BROADCAST forgot to decrement array count

* lib/privs.c: (cap_map) Removal of Linux CAP_NET_BROADCAST from ZCAP_BIND
  forgot to decrement the array count in the 'num' field. Resulting in an
  overread of memory from zcaps2sys from zprivs_caps_init.
Paul Jakma 1 year ago
parent
commit
5c2cba2d39
1 changed files with 2 additions and 3 deletions
  1. 2 3
      lib/privs.c

+ 2 - 3
lib/privs.c

@@ -102,7 +102,7 @@ static struct
 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
   [ZCAP_SETID] = 	{ 2, (pvalue_t []) { CAP_SETGID,
                                              CAP_SETUID 		}, },
-  [ZCAP_BIND] =		{ 2, (pvalue_t []) { CAP_NET_BIND_SERVICE	}, },
+  [ZCAP_BIND] =		{ 1, (pvalue_t []) { CAP_NET_BIND_SERVICE	}, },
   [ZCAP_NET_ADMIN] =	{ 1, (pvalue_t []) { CAP_NET_ADMIN		}, },
   [ZCAP_NET_RAW] = 	{ 1, (pvalue_t []) { CAP_NET_RAW		}, },
   [ZCAP_CHROOT] = 	{ 1, (pvalue_t []) { CAP_SYS_CHROOT,		}, },
@@ -127,9 +127,8 @@ static struct
   [ZCAP_CHROOT] = 	{ 1, (pvalue_t []) { PRIV_PROC_CHROOT		}, },
   [ZCAP_NICE] = 	{ 1, (pvalue_t []) { PRIV_PROC_PRIOCNTL		}, },
   [ZCAP_PTRACE] =	{ 1, (pvalue_t []) { PRIV_PROC_SESSION		}, },
-  [ZCAP_DAC_OVERRIDE] = { 2, (pvalue_t []) { PRIV_FILE_DAC_EXECUTE, 
+  [ZCAP_DAC_OVERRIDE] = { 4, (pvalue_t []) { PRIV_FILE_DAC_EXECUTE, 
                                              PRIV_FILE_DAC_READ,
-                                             PRIV_FILE_DAC_SEARCH,
                                              PRIV_FILE_DAC_WRITE,
                                              PRIV_FILE_DAC_SEARCH	}, },
   [ZCAP_READ_SEARCH] =	{ 2, (pvalue_t []) { PRIV_FILE_DAC_SEARCH,