If the client sends a WINBINDD_PAM_AUTH request with a request->data.auth.user that is not null terminated within 256 bytes, then this code in parse_domain_user() can write the '\0' beyond the end of domain[]: p = strchr(domuser, *lp_winbind_separator()); if (p != NULL) { ...; fstrcpy(domain, domuser); domain[PTR_DIFF(p, domuser)] = '\0'; domuser is request->data.auth.user. domain[] is a fixed 256 bytes long. The fstrcpy() won't copy more than 256 bytes, but PTR_DIFF(p,domuser) can be more than 256 if the client isn't playing nice.
Created attachment 18123 [details] patch (with additional fixes for other instances of potential similar errors (most likely missed some though)
Noel, did you create a MR with the patch?
(In reply to Andreas Schneider from comment #2) nope, at the time this was under consideration for sec release I think (or I wasn't sure) so I was nervous about leaking anything. I don't see any flags selected here so I guess O can create an MR
This bug was referenced in samba master: 9267d9b2683cb66c6b0252aabca13f8d0c95c4aa
Comment on attachment 18123 [details] patch (with additional fixes for other instances of potential similar errors (most likely missed some though) went for a different solution (now in master) see 9267d9b2683cb66c6b0252aabca13f8d0c95c4aa