Attachment 17677 Details for Bug 15260 – Patch

[patch] Patch

15260.txt (text/plain), 1.11 KB, created by Volker Lendecke on 2022-12-06 14:09:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Volker Lendecke

Created: 2022-12-06 14:09:11 UTC

Size: 1.11 KB

patch

obsolete

>From d3f191b46b66dca93c71592959fbe1b43be3ab73 Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Tue, 6 Dec 2022 15:06:17 +0100
>Subject: [PATCH] nss_aix: Fix Bug 15260 int overflow in winbind_nss_aix
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=15260
>Signed-off-by: Volker Lendecke <vl@samba.org>
>---
> nsswitch/winbind_nss_aix.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/nsswitch/winbind_nss_aix.c b/nsswitch/winbind_nss_aix.c
>index f1f00e92a76..3bba18c9b07 100644
>--- a/nsswitch/winbind_nss_aix.c
>+++ b/nsswitch/winbind_nss_aix.c
>@@ -357,7 +357,7 @@ static char *wb_aix_getgrset(char *user)
> 	NSS_STATUS ret;
> 	int i, idx;
> 	char *tmpbuf;
>-	int num_gids;
>+	size_t num_gids;
> 	gid_t *gid_list;
> 	char *r_user = user;
> 
>@@ -385,6 +385,11 @@ static char *wb_aix_getgrset(char *user)
> 	num_gids = response.data.num_entries;
> 	gid_list = (gid_t *)response.extra_data.data;
> 
>+	if (num_gids > SIZE_MAX/12) {
>+		winbindd_free_response(&response);
>+		return NULL;
>+	}
>+
> 	/* allocate a space large enough to contruct the string */
> 	tmpbuf = malloc(num_gids*12);
> 	if (!tmpbuf) {
>-- 
>2.30.2
>

Actions: View

Attachments on bug 15260: 17677 | 17678