diff options
| author | Jeremy Allison <jra@samba.org> | 2013-11-07 20:38:01 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
| commit | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (patch) | |
| tree | 9c6e8f33f681e88367f0b822b8c9845cb4d1da38 /source3/winbindd | |
| parent | a516ae6868386aa23f2beb52a576b0cf68042b1d (diff) | |
| download | samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.gz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.xz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.zip | |
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/winbindd')
| -rw-r--r-- | source3/winbindd/wb_lookupsids.c | 3 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_rpc.c | 32 |
2 files changed, 35 insertions, 0 deletions
diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c index 2c4ebda3eb..e10d511493 100644 --- a/source3/winbindd/wb_lookupsids.c +++ b/source3/winbindd/wb_lookupsids.c @@ -402,6 +402,9 @@ static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains, uint32_t src_domain_index, dst_domain_index; src_domain_index = src_name->sid_index; + if (src_domain_index >= src_domains->count) { + return false; + } src_domain = &src_domains->domains[src_domain_index]; if (!wb_lookupsids_find_dom_idx( diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 44deeb071c..7345ea798e 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -1084,6 +1084,10 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_ERR(result)) { return result; } + if (sids->num_sids != lsa_names2.count) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + names = talloc_zero(mem_ctx, struct lsa_TransNameArray); if (names == NULL) { return NT_STATUS_NO_MEMORY; @@ -1099,6 +1103,16 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, names->names[i].name.string = talloc_move( names->names, &lsa_names2.names[i].name.string); names->names[i].sid_index = lsa_names2.names[i].sid_index; + + if (names->names[i].sid_index == UINT32_MAX) { + continue; + } + if ((*pdomains) == NULL) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (names->names[i].sid_index >= (*pdomains)->count) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } } *pnames = names; return result; @@ -1114,6 +1128,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; uint32_t count; + uint32_t i; NTSTATUS status, result; status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); @@ -1140,6 +1155,23 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_ERR(result)) { return result; } + + if (sids->num_sids != names->count) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + for (i=0; i < names->count; i++) { + if (names->names[i].sid_index == UINT32_MAX) { + continue; + } + if ((*pdomains) == NULL) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (names->names[i].sid_index >= (*pdomains)->count) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + } + *pnames = names; return result; } |