In ncp_conn_alloc(), a new credential pointer, 'owner', is set up to point

at the credential to be used by the connection. However, the pointer's value was ignored when actually setting hcp->nc_owner. (1) Do set nc_owner to the owner pointer value so that the credential is not discarded after being carefully configured. (2) In the case where we create a new credential with modified uid, copy the existing credential to initialize non-uid fields to existing values, which will lead to a fully initialized MAC label, groups, etc. Found with: Coverity Prevent(tm) CID: 2226
2026-05-28 04:12:45 -04:00 · 2007-05-27 17:14:33 +00:00 · 2007-05-27 17:14:33 +00:00 · bdcfa9589b
commit bdcfa9589b
parent b312d4b0ba
1 changed files with 4 additions and 3 deletions
--- a/sys/netncp/ncp_conn.c
+++ b/sys/netncp/ncp_conn.c
@ -223,10 +223,10 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred,

 	if (cap->saddr.sa_family != AF_INET && cap->saddr.sa_family != AF_IPX)
 		return EPROTONOSUPPORT;
-	isroot = ncp_suser(cred) == 0;
 	/*
-	 * Only root can change ownership
+	 * Only root can change ownership.
 	 */
+	isroot = ncp_suser(cred) == 0;
 	if (cap->owner != NCP_DEFAULT_OWNER && !isroot)
 		return EPERM;
 	if (cap->group != NCP_DEFAULT_GROUP &&
@ -234,6 +234,7 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred,
 		return EPERM;
 	if (cap->owner != NCP_DEFAULT_OWNER) {
 		owner = crget();
+		crcopy(owner, cred);
 		owner->cr_uid = cap->owner;
 	} else
 		owner = crhold(cred);
@ -243,7 +244,7 @@ ncp_conn_alloc(struct ncp_conn_args *cap, struct thread *td, struct ucred *cred,
 	lockinit(&ncp->nc_lock, PZERO, "ncplck", 0, 0);
 	ncp_conn_cnt++;
 	ncp->nc_id = ncp_next_ref++;
-	ncp->nc_owner = cred;
+	ncp->nc_owner = owner;
 	ncp->seq = 0;
 	ncp->connid = 0xFFFF;
 	ncp->li = *cap;