diff options
author | Jeremy Allison <jra@samba.org> | 2010-09-09 15:54:23 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2010-09-09 15:54:23 +0200 |
commit | a34c3e999bb1ea61da31c5b3e845b19663039358 (patch) | |
tree | 0c24ba3214c67f3c6fc02aa239ff040261081198 /source3/lib | |
parent | 160cbf1d242617409977e87d12f4871625052d4d (diff) | |
download | samba-a34c3e999bb1ea61da31c5b3e845b19663039358.tar.gz |
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/util_sid.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 639269cac2c..bea04d8c6ee 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); + if (sid->num_auths > MAXSUBAUTHS) { + return false; + } memcpy(sid->id_auth, inbuf+2, 6); if (len < 8 + sid->num_auths*4) return False; |