idmap_tdb: Harden idmap_tdb_common_unixid_to_sid

A non-null terminated record would make string_to_sid read beyond the end of allocated data. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
author: Volker Lendecke <vl@samba.org> 2016-11-30 18:43:44 +0100
committer: Volker Lendecke <vl@samba.org> 2016-12-16 17:38:19 +0100
commit: b64835a109b112543cc82a50c2dbb4ece5149ec6 (patch)
tree: fd2043619e11eb6100880236ff6796eb4db212df
parent: 5ee846fabf809b1b0070d53bef56f3735ac1e9bb (diff)
download: samba-b64835a109b112543cc82a50c2dbb4ece5149ec6.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/winbindd/idmap_tdb_common.c b/source3/winbindd/idmap_tdb_common.c
index ebf1bb90b2c..0d7e734cd5d 100644
--- a/source3/winbindd/idmap_tdb_common.c
+++ b/source3/winbindd/idmap_tdb_common.c
@@ -430,6 +430,12 @@ NTSTATUS idmap_tdb_common_unixid_to_sid(struct idmap_domain * dom,
 		goto done;
 	}
 
+	if ((data.dsize == 0) || (data.dptr[data.dsize-1] != '\0')) {
+		DBG_DEBUG("Invalid record length %zu\n", data.dsize);
+		ret = NT_STATUS_INTERNAL_DB_ERROR;
+		goto done;
+	}
+
 	if (!string_to_sid(map->sid, (const char *)data.dptr)) {
 		DEBUG(10, ("INVALID SID (%s) in record %s\n",
 			   (const char *)data.dptr, keystr));
author	Volker Lendecke <vl@samba.org>	2016-11-30 18:43:44 +0100
committer	Volker Lendecke <vl@samba.org>	2016-12-16 17:38:19 +0100
commit	b64835a109b112543cc82a50c2dbb4ece5149ec6 (patch)
tree	fd2043619e11eb6100880236ff6796eb4db212df
parent	5ee846fabf809b1b0070d53bef56f3735ac1e9bb (diff)
download	samba-b64835a109b112543cc82a50c2dbb4ece5149ec6.tar.gz