351470: setuid root programs linked with NSPR allow elevation of privilege. NSPRPUB_PRE_4_2_CLIENT_BRANCH
authorwtchang%redhat.com
Tue, 12 Sep 2006 00:01:25 +0000
branchNSPRPUB_PRE_4_2_CLIENT_BRANCH
changeset 3689 838281707bc1f409e9c08b72e260a8645d1ad024
parent 3688 d7e4f1d70aa4b836fc5c26ec03c6757b9bf5d9b0
child 3690 595fae0b72aa1097324b3014ae192354106242c9
push idunknown
push userunknown
push dateunknown
bugs351470
351470: setuid root programs linked with NSPR allow elevation of privilege. r=nelson, sr=wtc Tag: NSPRPUB_PRE_4_2_CLIENT_BRANCH
pr/src/io/prfdcach.c
pr/src/misc/pratom.c
--- a/pr/src/io/prfdcach.c
+++ b/pr/src/io/prfdcach.c
@@ -272,16 +272,24 @@ void _PR_InitFdCache(void)
     _pr_fd_cache.limit_high = FD_SETSIZE;
 #else
     _pr_fd_cache.limit_high = 0;
 #endif  /* defined(DEBUG) */
 
     if (NULL != low) _pr_fd_cache.limit_low = atoi(low);
     if (NULL != high) _pr_fd_cache.limit_high = atoi(high);
 
+    if (_pr_fd_cache.limit_low < 0)
+        _pr_fd_cache.limit_low = 0;
+    if (_pr_fd_cache.limit_low > FD_SETSIZE)
+        _pr_fd_cache.limit_low = FD_SETSIZE;
+
+    if (_pr_fd_cache.limit_high > FD_SETSIZE)
+        _pr_fd_cache.limit_high = FD_SETSIZE;
+
     if (_pr_fd_cache.limit_high < _pr_fd_cache.limit_low)
         _pr_fd_cache.limit_high = _pr_fd_cache.limit_low;
 
     _pr_fd_cache.ml = PR_NewLock();
     PR_ASSERT(NULL != _pr_fd_cache.ml);
     _pr_fd_cache.stack = PR_CreateStack("FD");
     PR_ASSERT(NULL != _pr_fd_cache.stack);
 
--- a/pr/src/misc/pratom.c
+++ b/pr/src/misc/pratom.c
@@ -115,16 +115,18 @@ int index;
 	PR_ASSERT(PR_FloorLog2(DEFAULT_ATOMIC_LOCKS) ==
 							PR_CeilingLog2(DEFAULT_ATOMIC_LOCKS));
 
 	if (((eval = getenv("NSPR_ATOMIC_HASH_LOCKS")) != NULL)  &&
 		((num_atomic_locks = atoi(eval)) != DEFAULT_ATOMIC_LOCKS)) {
 
 		if (num_atomic_locks > MAX_ATOMIC_LOCKS)
 			num_atomic_locks = MAX_ATOMIC_LOCKS;
+		else if (num_atomic_locks < 1) 
+			num_atomic_locks = 1;
 		else {
 			num_atomic_locks = PR_FloorLog2(num_atomic_locks);
 			num_atomic_locks = 1L << num_atomic_locks;
 		}
 		atomic_locks = (pthread_mutex_t *) PR_Malloc(sizeof(pthread_mutex_t) *
 						num_atomic_locks);
 		if (atomic_locks) {
 			for (index = 0; index < num_atomic_locks; index++) {