diff options
author | Volker Lendecke <vl@samba.org> | 2019-02-26 11:06:29 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2019-02-28 12:57:23 +0000 |
commit | d8a7caa5b03428dd9b0808135b34c21e217dbe2e (patch) | |
tree | cb8f3b36fc02e3858fe2d15593287e07d0bab6b5 /nsswitch | |
parent | eb62dc39eb48b4e2207c80c232664ca37af9c2e6 (diff) | |
download | samba-d8a7caa5b03428dd9b0808135b34c21e217dbe2e.tar.gz |
libwbclient: Protect wbcCtxUnixIdsToSids against integer-wrap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Diffstat (limited to 'nsswitch')
-rw-r--r-- | nsswitch/libwbclient/wbc_idmap.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nsswitch/libwbclient/wbc_idmap.c b/nsswitch/libwbclient/wbc_idmap.c index f61efb92b8d..6876a95316c 100644 --- a/nsswitch/libwbclient/wbc_idmap.c +++ b/nsswitch/libwbclient/wbc_idmap.c @@ -423,10 +423,20 @@ wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx, wbcErr wbc_status; char *buf; char *s; + const size_t sidlen = (1 /* U/G */ + 10 /* 2^32 */ + 1 /* \n */); size_t ofs, buflen; uint32_t i; - buflen = num_ids * (1 /* U/G */ + 10 /* 2^32 */ + 1 /* \n */) + 1; + if (num_ids > SIZE_MAX / sidlen) { + return WBC_ERR_NO_MEMORY; /* overflow */ + } + buflen = num_ids * sidlen; + + buflen += 1; /* trailing \0 */ + if (buflen < 1) { + return WBC_ERR_NO_MEMORY; /* overflow */ + } + buf = malloc(buflen); if (buf == NULL) { return WBC_ERR_NO_MEMORY; |