Fix bug #7669.

Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).

CVE-2010-3069:

===========
Description
===========

All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).

4 files changed, 23 insertions, 5 deletions

diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index f656bb13dc8..aa49b860d03 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index d9598e5dd83..f426996968f 100644
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
 		fstring tmp;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			continue;
+		}
 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
 	}
 }
diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c
index dcdfec241d9..47739f04a07 100644
--- a/source/libsmb/cliquota.c
+++ b/source/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return false;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index c392380b5ec..b610b1fd397 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn,
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return;
+		}
+
 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn,
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+				return;
+			}
 
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
 	/* 44 unknown bytes left... */