From cb01b90a5c8c1deca5149a7b2fb2f24e407cb080 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 15 Aug 2023 08:52:02 -0600
Subject: [PATCH] We still need to clamp ngids if getgrouplist2() returns -1.

Otherwise, we end up with ngids set to the number of gids the user
belongs to which may be larger than what the front-end specified.
Fixes a regression introduced in the last commit here.
---
 plugins/sudoers/pwutil_impl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/sudoers/pwutil_impl.c b/plugins/sudoers/pwutil_impl.c
index 097e6f6822..bfc7eda4eb 100644
--- a/plugins/sudoers/pwutil_impl.c
+++ b/plugins/sudoers/pwutil_impl.c
@@ -307,8 +307,9 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
 		    "unable to allocate memory");
 		debug_return_ptr(NULL);
 	    }
-	    /* getgrouplist2() returns failure if it can't store all groups. */
-	    (void)PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids);
+	    /* Clamp to max_groups if insufficient space for all groups. */
+	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1)
+		ngids = sudo_pwutil_get_max_groups();
 	} else {
 	    gids = NULL;
 	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) {