Fix bug #7669.

Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4). CVE-2010-3069: =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection).
author: Jeremy Allison <jra@samba.org> 2010-09-09 15:54:23 +0200
committer: Karolin Seeger <kseeger@samba.org> 2010-09-09 15:54:23 +0200
commit: a34c3e999bb1ea61da31c5b3e845b19663039358 (patch)
tree: 0c24ba3214c67f3c6fc02aa239ff040261081198 /source3/lib
parent: 160cbf1d242617409977e87d12f4871625052d4d (diff)
download: samba-a34c3e999bb1ea61da31c5b3e845b19663039358.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 639269cac2c..bea04d8c6ee 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
author	Jeremy Allison <jra@samba.org>	2010-09-09 15:54:23 +0200
committer	Karolin Seeger <kseeger@samba.org>	2010-09-09 15:54:23 +0200
commit	a34c3e999bb1ea61da31c5b3e845b19663039358 (patch)
tree	0c24ba3214c67f3c6fc02aa239ff040261081198 /source3/lib
parent	160cbf1d242617409977e87d12f4871625052d4d (diff)
download	samba-a34c3e999bb1ea61da31c5b3e845b19663039358.tar.gz