Bug 14754 - Out of memory access in winbind nss module on AIX
Summary: Out of memory access in winbind nss module on AIX
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-08 09:50 UTC by Ralph Böhme
Modified: 2021-07-29 12:39 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2021-07-08 09:50:52 UTC
There's an overflow in nsswitch/winbind_nss_aix.c:843

  ret[n] = NULL;

which was detected by running an application with MALLOCDEBUG=catch_overflow. The array is allocated as

  n = sizeof(attr_list) / sizeof(struct attr_types);
  size = (n*sizeof(attrlist_t *));
  if ( (ret = malloc( size )) == NULL ) ...

Guess the array should be allocated with

  size = ((n + 1) * sizeof(attrlist_t *));
Comment 1 Samba QA Contact 2021-07-12 15:12:04 UTC
This bug was referenced in samba master:

44aba9c7cabedf7b5a01fb9c5f3099125dd70602