diff options
| author | Jeremy Allison <jra@samba.org> | 2013-11-07 20:38:01 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
| commit | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (patch) | |
| tree | 9c6e8f33f681e88367f0b822b8c9845cb4d1da38 /source4 | |
| parent | a516ae6868386aa23f2beb52a576b0cf68042b1d (diff) | |
| download | samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.gz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.xz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.zip | |
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/libcli/util/clilsa.c | 16 | ||||
| -rw-r--r-- | source4/winbind/wb_async_helpers.c | 13 |
2 files changed, 27 insertions, 2 deletions
diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c index 812f953ce85..cc0dae5984f 100644 --- a/source4/libcli/util/clilsa.c +++ b/source4/libcli/util/clilsa.c @@ -260,7 +260,21 @@ NTSTATUS smblsa_lookup_sid(struct smbcli_state *cli, } if (names.count != 1) { talloc_free(mem_ctx2); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (domains == NULL) { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (domains->count != 1) { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (names.names[0].sid_index != UINT32_MAX && + names.names[0].sid_index >= domains->count) + { + talloc_free(mem_ctx2); + return NT_STATUS_INVALID_NETWORK_RESPONSE; } (*name) = talloc_asprintf(mem_ctx, "%s\\%s", diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c index 2af8567fd4c..e3de2eb38ea 100644 --- a/source4/winbind/wb_async_helpers.c +++ b/source4/winbind/wb_async_helpers.c @@ -122,6 +122,12 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq) return; } + if (state->names.count != state->num_sids) { + composite_error(state->ctx, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->result = talloc_array(state, struct wb_sid_object *, state->num_sids); if (composite_nomem(state->result, state->ctx)) return; @@ -142,9 +148,14 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq) continue; } + if (domains == NULL) { + composite_error(state->ctx, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } if (name->sid_index >= domains->count) { composite_error(state->ctx, - NT_STATUS_INVALID_PARAMETER); + NT_STATUS_INVALID_NETWORK_RESPONSE); return; } |