libwbclient: Protect wbcCtxUnixIdsToSids against integer-wrap

Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
author: Volker Lendecke <vl@samba.org> 2019-02-26 11:06:29 +0100
committer: Volker Lendecke <vl@samba.org> 2019-02-28 12:57:23 +0000
commit: d8a7caa5b03428dd9b0808135b34c21e217dbe2e (patch)
tree: cb8f3b36fc02e3858fe2d15593287e07d0bab6b5 /nsswitch
parent: eb62dc39eb48b4e2207c80c232664ca37af9c2e6 (diff)
download: samba-d8a7caa5b03428dd9b0808135b34c21e217dbe2e.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/nsswitch/libwbclient/wbc_idmap.c b/nsswitch/libwbclient/wbc_idmap.c
index f61efb92b8d..6876a95316c 100644
--- a/nsswitch/libwbclient/wbc_idmap.c
+++ b/nsswitch/libwbclient/wbc_idmap.c
@@ -423,10 +423,20 @@ wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx,
 	wbcErr wbc_status;
 	char *buf;
 	char *s;
+	const size_t sidlen = (1 /* U/G */ + 10 /* 2^32 */ + 1 /* \n */);
 	size_t ofs, buflen;
 	uint32_t i;
 
-	buflen = num_ids * (1 /* U/G */ + 10 /* 2^32 */ + 1 /* \n */) + 1;
+	if (num_ids > SIZE_MAX / sidlen) {
+		return WBC_ERR_NO_MEMORY; /* overflow */
+	}
+	buflen = num_ids * sidlen;
+
+	buflen += 1;		/* trailing \0 */
+	if (buflen < 1) {
+		return WBC_ERR_NO_MEMORY; /* overflow */
+	}
+
 	buf = malloc(buflen);
 	if (buf == NULL) {
 		return WBC_ERR_NO_MEMORY;
author	Volker Lendecke <vl@samba.org>	2019-02-26 11:06:29 +0100
committer	Volker Lendecke <vl@samba.org>	2019-02-28 12:57:23 +0000
commit	d8a7caa5b03428dd9b0808135b34c21e217dbe2e (patch)
tree	cb8f3b36fc02e3858fe2d15593287e07d0bab6b5 /nsswitch
parent	eb62dc39eb48b4e2207c80c232664ca37af9c2e6 (diff)
download	samba-d8a7caa5b03428dd9b0808135b34c21e217dbe2e.tar.gz