Bug 15467 - winbindd's parse_domain_user() can write beyond the end of domain[]
Summary: winbindd's parse_domain_user() can write beyond the end of domain[]
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-03 16:48 UTC by Robert Morris
Modified: 2023-10-24 14:27 UTC (History)
2 users (show)

See Also:


Attachments
patch (with additional fixes for other instances of potential similar errors (most likely missed some though) (4.57 KB, patch)
2023-09-25 17:29 UTC, Noel Power
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-09-03 16:48:58 UTC
If the client sends a WINBINDD_PAM_AUTH request with a
request->data.auth.user that is not null terminated within 256 bytes,
then this code in parse_domain_user() can write the '\0' beyond the
end of domain[]:

        p = strchr(domuser, *lp_winbind_separator());
        if (p != NULL) {
                ...;
                fstrcpy(domain, domuser);
                domain[PTR_DIFF(p, domuser)] = '\0';

domuser is request->data.auth.user. domain[] is a fixed 256 bytes
long. The fstrcpy() won't copy more than 256 bytes, but
PTR_DIFF(p,domuser) can be more than 256 if the client isn't playing
nice.
Comment 1 Noel Power 2023-09-25 17:29:15 UTC
Created attachment 18123 [details]
patch (with additional fixes for other instances of potential similar errors (most likely missed some though)
Comment 2 Andreas Schneider 2023-10-17 09:59:46 UTC
Noel, did you create a MR with the patch?
Comment 3 Noel Power 2023-10-19 09:57:12 UTC
(In reply to Andreas Schneider from comment #2)
nope, at the time this was under consideration for sec release I think (or I wasn't sure) so I was nervous about leaking anything. I don't see any flags selected here so I guess O can create an MR
Comment 4 Samba QA Contact 2023-10-24 13:48:04 UTC
This bug was referenced in samba master:

9267d9b2683cb66c6b0252aabca13f8d0c95c4aa
Comment 5 Noel Power 2023-10-24 14:27:57 UTC
Comment on attachment 18123 [details]
patch (with additional fixes for other instances of potential similar errors (most likely missed some though)

went for a different solution (now in master) see 9267d9b2683cb66c6b0252aabca13f8d0c95c4aa