The Samba-Bugzilla – Attachment 16407 Details for
Bug 14571
CVE-2021-20254 [SECURITY] Buffer overrun in sids_to_unixids() [source3/passdb/lookup_sid.c]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Make sids_to_unixids() in source3/passdb/lookup_sids.c more robust
lookup_sid.c.diff (text/plain), 1.58 KB, created by
Peter Eriksson
on 2021-01-26 18:54:21 UTC
(
hide
)
Description:
Make sids_to_unixids() in source3/passdb/lookup_sids.c more robust
Filename:
MIME Type:
Creator:
Peter Eriksson
Created:
2021-01-26 18:54:21 UTC
Size:
1.58 KB
patch
obsolete
>--- source3/passdb/lookup_sid.c.ORIG 2021-01-26 16:25:59.235435000 +0100 >+++ source3/passdb/lookup_sid.c 2021-01-26 19:31:37.547397000 +0100 >@@ -1247,7 +1247,7 @@ > { > struct wbcDomainSid *wbc_sids = NULL; > struct wbcUnixId *wbc_ids = NULL; >- uint32_t i, num_not_cached; >+ uint32_t i, num_not_cached, num_not_cached_size, cached_not_specified; > wbcErr err; > bool ret = false; > >@@ -1257,7 +1257,8 @@ > } > > num_not_cached = 0; >- >+ cached_not_specified = 0; >+ > for (i=0; i<num_sids; i++) { > bool expired; > uint32_t rid; >@@ -1277,6 +1278,9 @@ > if (idmap_cache_find_sid2unixid(&sids[i], &ids[i], &expired) > && !expired) > { >+ if (ids[i].type == ID_TYPE_NOT_SPECIFIED) >+ cached_not_specified++; >+ > continue; > } > ids[i].type = ID_TYPE_NOT_SPECIFIED; >@@ -1287,6 +1291,10 @@ > if (num_not_cached == 0) { > goto done; > } >+ if (cached_not_specified > 0) >+ DEBUG(1, ("DANGER, WILL ROBINSON, DANGER! (cached_not_specified=%d, num_not_cached=%d)\n", >+ cached_not_specified, num_not_cached)); >+ num_not_cached_size = num_not_cached; > wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, num_not_cached); > if (wbc_ids == NULL) { > goto fail; >@@ -1304,6 +1312,11 @@ > > for (i=0; i<num_sids; i++) { > if (ids[i].type == ID_TYPE_NOT_SPECIFIED) { >+ if (num_not_cached >= num_not_cached_size) { >+ DEBUG(1, ("ERROR - num_not_cached(%d) >= num_not_cached_size(%d), i=%d, num_sids=%d\n", >+ num_not_cached, num_not_cached_size, i, num_sids)); >+ goto fail; >+ } > switch (wbc_ids[num_not_cached].type) { > case WBC_ID_TYPE_UID: > ids[i].type = ID_TYPE_UID;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16407">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14571
:
16407
|
16410
|
16466
|
16467
|
16499
|
16505
|
16506
|
16507
|
16508
|
16509
|
16510
|
16511
|
16516
|
16517
|
16519
|
16520
|
16532
|
16533
|
16534
|
16535
|
16536
|
16537
|
16538
|
16539
|
16542
|
16543
|
16544
|
16545
|
16546
|
16548
|
16551
|
16553
|
16595