diff options
| author | Jeremy Allison <jra@samba.org> | 2010-09-09 15:43:07 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2010-09-09 15:43:07 +0200 |
| commit | df1c76e2275068d1006e82a4a21d42b58175268b (patch) | |
| tree | 218774cfa0a2f889837c6c0c2e306266784c4209 /source/libads/ldap.c | |
| parent | da9325d02038b5e65873593dece510fa09851772 (diff) | |
| download | samba-df1c76e2275068d1006e82a4a21d42b58175268b.tar.gz samba-df1c76e2275068d1006e82a4a21d42b58175268b.tar.xz samba-df1c76e2275068d1006e82a4a21d42b58175268b.zip | |
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
Diffstat (limited to 'source/libads/ldap.c')
| -rw-r--r-- | source/libads/ldap.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/source/libads/ldap.c b/source/libads/ldap.c index d9598e5dd83..f426996968f 100644 --- a/source/libads/ldap.c +++ b/source/libads/ldap.c @@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) for (i=0; values[i]; i++) { DOM_SID sid; fstring tmp; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + continue; + } printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); } } |