From b64c71e6b777ab333b1f8b8d481a9bf1a9ac8adf Mon Sep 17 00:00:00 2001
From: Alexandr Morozov <lk4d4math@gmail.com>
Date: Sat, 17 May 2014 22:43:31 +0400
Subject: [PATCH] Check uid ranges

Fixes #5647
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
---
 user/user.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/user/user.go b/user/user.go
index 1672f7e6..df471012 100644
--- a/user/user.go
+++ b/user/user.go
@@ -9,6 +9,15 @@ import (
 	"strings"
 )
 
+const (
+	minId = 0
+	maxId = 1<<31 - 1 //for 32-bit systems compatibility
+)
+
+var (
+	ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
+)
+
 type User struct {
 	Name  string
 	Pass  string
@@ -194,6 +203,9 @@ func GetUserGroupSupplementary(userSpec string, defaultUid int, defaultGid int)
 			// not numeric - we have to bail
 			return 0, 0, nil, fmt.Errorf("Unable to find user %v", userArg)
 		}
+		if uid < minId || uid > maxId {
+			return 0, 0, nil, ErrRange
+		}
 
 		// if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
 	}
@@ -226,6 +238,9 @@ func GetUserGroupSupplementary(userSpec string, defaultUid int, defaultGid int)
 					// not numeric - we have to bail
 					return 0, 0, nil, fmt.Errorf("Unable to find group %v", groupArg)
 				}
+				if gid < minId || gid > maxId {
+					return 0, 0, nil, ErrRange
+				}
 
 				// if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
 			}