diff options
| author | Jeremy Allison <jra@samba.org> | 2013-11-07 20:38:01 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
| commit | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (patch) | |
| tree | 9c6e8f33f681e88367f0b822b8c9845cb4d1da38 /source4/libcli | |
| parent | a516ae6868386aa23f2beb52a576b0cf68042b1d (diff) | |
| download | samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.gz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.xz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.zip | |
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4/libcli')
| -rw-r--r-- | source4/libcli/util/clilsa.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c index 812f953ce85..cc0dae5984f 100644 --- a/source4/libcli/util/clilsa.c +++ b/source4/libcli/util/clilsa.c @@ -260,7 +260,21 @@ NTSTATUS smblsa_lookup_sid(struct smbcli_state *cli, } if (names.count != 1) { talloc_free(mem_ctx2); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (domains == NULL) { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (domains->count != 1) { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (names.names[0].sid_index != UINT32_MAX && + names.names[0].sid_index >= domains->count) + { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; } (*name) = talloc_asprintf(mem_ctx, "%s\\%s", |