diff options
author | Jeremy Allison <jra@samba.org> | 2013-11-07 20:38:01 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
commit | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (patch) | |
tree | 9c6e8f33f681e88367f0b822b8c9845cb4d1da38 /nsswitch | |
parent | a516ae6868386aa23f2beb52a576b0cf68042b1d (diff) | |
download | samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.gz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.xz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.zip |
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'nsswitch')
-rw-r--r-- | nsswitch/libwbclient/wbc_sid.c | 7 | ||||
-rw-r--r-- | nsswitch/wbinfo.c | 14 |
2 files changed, 19 insertions, 2 deletions
diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c index 471f71b084..0877ed04ae 100644 --- a/nsswitch/libwbclient/wbc_sid.c +++ b/nsswitch/libwbclient/wbc_sid.c @@ -427,6 +427,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids, for (i=0; i<num_names; i++) { names[i].domain_index = strtoul(p, &q, 10); + if (names[i].domain_index < 0) { + goto wbc_err_invalid; + } + if (names[i].domain_index >= num_domains) { + goto wbc_err_invalid; + } + if (*q != ' ') { goto wbc_err_invalid; } diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 61acd1aa9e..cc75fc30a1 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -1395,15 +1395,25 @@ static bool wbinfo_lookup_sids(const char *arg) } for (i=0; i<num_sids; i++) { + const char *domain = NULL; + wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr)); + if (names[i].domain_index >= num_domains) { + domain = "<none>"; + } else if (names[i].domain_index < 0) { + domain = "<none>"; + } else { + domain = domains[names[i].domain_index].short_name; + } + if (names[i].type == WBC_SID_NAME_DOMAIN) { d_printf("%s -> %s %d\n", sidstr, - domains[names[i].domain_index].short_name, + domain, names[i].type); } else { d_printf("%s -> %s%c%s %d\n", sidstr, - domains[names[i].domain_index].short_name, + domain, winbind_separator(), names[i].name, names[i].type); } |