The Samba-Bugzilla – Attachment 18123 Details for
Bug 15467
winbindd's parse_domain_user() can write beyond the end of domain[]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch (with additional fixes for other instances of potential similar errors (most likely missed some though)
fstring.patch (text/plain), 4.57 KB, created by
Noel Power
on 2023-09-25 17:29:15 UTC
(
hide
)
Description:
patch (with additional fixes for other instances of potential similar errors (most likely missed some though)
Filename:
MIME Type:
Creator:
Noel Power
Created:
2023-09-25 17:29:15 UTC
Size:
4.57 KB
patch
obsolete
>From e24974380d828a65e5e385b7aee1555a32f8401d Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 14:27:25 +0100 >Subject: [PATCH 1/5] s3/utils: Ensure we don't write beyond end of fstring > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > source3/utils/ntlm_auth.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index f0f7345d62f..14d0e06afef 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -393,7 +393,7 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, > > fstrcpy(user, p+1); > fstrcpy(domain, domuser); >- domain[PTR_DIFF(p, domuser)] = 0; >+ domain[MIN(PTR_DIFF(p, domuser), sizeof(fstring) - 1)] = 0; > return strupper_m(domain); > } > >-- >2.35.3 > > >From cefd138d151cc8e9421e917b76d23868bdfc1537 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 14:30:14 +0100 >Subject: [PATCH 2/5] nsswitch: Ensure we can't write beyond end of fstring > >Signed-off-by: Noel Power <noel.power@suse.com> >--- > nsswitch/wbinfo.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > >diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c >index 6148b204043..7a7be197763 100644 >--- a/nsswitch/wbinfo.c >+++ b/nsswitch/wbinfo.c >@@ -117,7 +117,7 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain, > { > > char *p = strchr(domuser,winbind_separator()); >- >+ int eos; > if (!p) { > /* Maybe it was a UPN? */ > p = strchr(domuser, '@'); >@@ -134,7 +134,13 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain, > > fstrcpy(user, p+1); > fstrcpy(domain, domuser); >- domain[PTR_DIFF(p, domuser)] = 0; >+ >+ eos = PTR_DIFF(p, domuser); >+ if (eos > (sizeof(fstring) - 1)) { >+ eos = sizeof(fstring) - 1; >+ } >+ >+ domain[eos] = 0; > > return true; > } >-- >2.35.3 > > >From bb48ecfc503bf9772e3fc299c3dcf853c26c6e8c Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 18:16:56 +0100 >Subject: [PATCH 3/5] libgpo/gpext: Ensure we can't write beyond end of fstring > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > libgpo/gpext/gpext.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/libgpo/gpext/gpext.c b/libgpo/gpext/gpext.c >index 45c89707720..d8d38e3f109 100644 >--- a/libgpo/gpext/gpext.c >+++ b/libgpo/gpext/gpext.c >@@ -569,7 +569,8 @@ static NTSTATUS gp_glob_ext_list(TALLOC_CTX *mem_ctx, > } > > fstrcpy(name, dirent->d_name); >- name[PTR_DIFF(p, dirent->d_name)] = 0; >+ name[MIN(PTR_DIFF(p, dirent->d_name), >+ sizeof(fstring) - 1)] = 0; > > if (!add_string_to_array(mem_ctx, name, ext_list, > ext_list_len)) { >-- >2.35.3 > > >From b9a8dd2e42d74c87b35191a3f3d2baa7fe73a1eb Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 18:18:09 +0100 >Subject: [PATCH 4/5] s3/winbind: Ensure we can't write beyond end of fstring > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > source3/winbindd/winbindd_util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 773cdab3da9..3384e1849c5 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1562,7 +1562,7 @@ bool parse_domain_user(const char *domuser, > if (p != NULL) { > fstrcpy(user, p + 1); > fstrcpy(domain, domuser); >- domain[PTR_DIFF(p, domuser)] = '\0'; >+ domain[MIN(PTR_DIFF(p, domuser),sizeof(fstring)-1)] = '\0'; > fstrcpy(namespace, domain); > } else { > fstrcpy(user, domuser); >-- >2.35.3 > > >From e28ba218c6d650d7603348b874588cdc51a319ec Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 18:18:35 +0100 >Subject: [PATCH 5/5] s4/torture: Ensure we can't write beyond end of fstring > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > source4/torture/winbind/struct_based.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c >index 1c8751e7f9c..5bda0d00d46 100644 >--- a/source4/torture/winbind/struct_based.c >+++ b/source4/torture/winbind/struct_based.c >@@ -985,7 +985,7 @@ static bool parse_domain_user(struct torture_context *torture, > > fstrcpy(user, p+1); > fstrcpy(domain, domuser); >- domain[PTR_DIFF(p, domuser)] = 0; >+ domain[MIN(PTR_DIFF(p, domuser), sizeof(fstring) - 1)] = 0; > > return true; > } >-- >2.35.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18123">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15467
:
18123