The Samba-Bugzilla – Attachment 17673 Details for
Bug 15257
Stack smashing in net offlinejoin requestodj
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.17 and 4.16
0001-s3-utils-Fix-stack-smashing-in-net-offlinejoin.patch (text/plain), 2.63 KB, created by
Andreas Schneider
on 2022-12-05 12:26:02 UTC
(
hide
)
Description:
patch for 4.17 and 4.16
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2022-12-05 12:26:02 UTC
Size:
2.63 KB
patch
obsolete
>From 740ab995af3c30e05e734a2735a794daa71f2e36 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 5 Dec 2022 11:18:10 +0100 >Subject: [PATCH] s3:utils: Fix stack smashing in net offlinejoin > >Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka >'unsigned long *') increases required alignment from 4 to 8 > >==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8 >WRITE of size 8 at 0x7ffdc6784fc0 thread T0 > #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220 > #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245 > #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267 > #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74 > #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453 > #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358 > #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381 > #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit ef8c8ac54cdf75ca4333223c1f3e580e31efca92) >--- > source3/utils/net_offlinejoin.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > >diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c >index ef56ba9fce8..03e5df0eace 100644 >--- a/source3/utils/net_offlinejoin.c >+++ b/source3/utils/net_offlinejoin.c >@@ -237,7 +237,7 @@ int net_offlinejoin_requestodj(struct net_context *c, > { > NET_API_STATUS status; > uint8_t *provision_bin_data = NULL; >- uint32_t provision_bin_data_size = 0; >+ size_t provision_bin_data_size = 0; > uint32_t options = NETSETUP_PROVISION_ONLINE_CALLER; > const char *loadfile = NULL; > const char *windows_path = NULL; >@@ -264,12 +264,17 @@ int net_offlinejoin_requestodj(struct net_context *c, > #endif > } > >- provision_bin_data = (uint8_t *)file_load(loadfile, >- (size_t *)&provision_bin_data_size, 0, c); >+ provision_bin_data = >+ (uint8_t *)file_load(loadfile, &provision_bin_data_size, 0, c); > if (provision_bin_data == NULL) { > d_printf("Failed to read loadfile: %s\n", loadfile); > return -1; > } >+ if (provision_bin_data_size > UINT32_MAX) { >+ d_printf("provision binary data size too big: %zu\n", >+ provision_bin_data_size); >+ return -1; >+ } > > status = NetRequestOfflineDomainJoin(provision_bin_data, > provision_bin_data_size, >-- >2.38.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17673">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 15257
: 17673