CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>

2 files changed, 19 insertions, 2 deletions

diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
index 471f71b084..0877ed04ae 100644
--- a/nsswitch/libwbclient/wbc_sid.c
+++ b/nsswitch/libwbclient/wbc_sid.c
@@ -427,6 +427,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids,
 	for (i=0; i<num_names; i++) {
 
 		names[i].domain_index = strtoul(p, &q, 10);
+		if (names[i].domain_index < 0) {
+			goto wbc_err_invalid;
+		}
+		if (names[i].domain_index >= num_domains) {
+			goto wbc_err_invalid;
+		}
+
 		if (*q != ' ') {
 			goto wbc_err_invalid;
 		}
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 61acd1aa9e..cc75fc30a1 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1395,15 +1395,25 @@ static bool wbinfo_lookup_sids(const char *arg)
 	}
 
 	for (i=0; i<num_sids; i++) {
+		const char *domain = NULL;
+
 		wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr));
 
+		if (names[i].domain_index >= num_domains) {
+			domain = "<none>";
+		} else if (names[i].domain_index < 0) {
+			domain = "<none>";
+		} else {
+			domain = domains[names[i].domain_index].short_name;
+		}
+
 		if (names[i].type == WBC_SID_NAME_DOMAIN) {
 			d_printf("%s -> %s %d\n", sidstr,
-				 domains[names[i].domain_index].short_name,
+				 domain,
 				 names[i].type);
 		} else {
 			d_printf("%s -> %s%c%s %d\n", sidstr,
-				 domains[names[i].domain_index].short_name,
+				 domain,
 				 winbind_separator(),
 				 names[i].name, names[i].type);
 		}