diff options
| author | Jeremy Allison <jra@samba.org> | 2013-11-07 21:40:55 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
| commit | 0dc618189469bf389a583eb346ddc6acaad1c644 (patch) | |
| tree | c2a788305792a22c554009077b5ffc9695bd5bbd /source3/winbindd | |
| parent | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (diff) | |
| download | samba-0dc618189469bf389a583eb346ddc6acaad1c644.tar.gz | |
CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/winbindd')
| -rw-r--r-- | source3/winbindd/winbindd_rpc.c | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 7345ea798ed..6b88c8413c5 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -1063,7 +1063,7 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, struct lsa_TransNameArray **pnames) { struct lsa_TransNameArray2 lsa_names2; - struct lsa_TransNameArray *names; + struct lsa_TransNameArray *names = *pnames; uint32_t i, count; NTSTATUS status, result; @@ -1088,10 +1088,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_NETWORK_RESPONSE; } - names = talloc_zero(mem_ctx, struct lsa_TransNameArray); - if (names == NULL) { - return NT_STATUS_NO_MEMORY; - } names->count = lsa_names2.count; names->names = talloc_array(names, struct lsa_TranslatedName, names->count); @@ -1114,7 +1110,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_NETWORK_RESPONSE; } } - *pnames = names; return result; } @@ -1124,7 +1119,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, struct lsa_RefDomainList **pdomains, struct lsa_TransNameArray **pnames) { - struct lsa_TransNameArray *names; + struct lsa_TransNameArray *names = *pnames; struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; uint32_t count; @@ -1141,10 +1136,6 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, pdomains, pnames); } - names = talloc_zero(mem_ctx, struct lsa_TransNameArray); - if (names == NULL) { - return NT_STATUS_NO_MEMORY; - } status = dcerpc_lsa_LookupSids(cli->binding_handle, mem_ctx, &lsa_policy, sids, pdomains, names, LSA_LOOKUP_NAMES_ALL, @@ -1172,6 +1163,5 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, } } - *pnames = names; return result; } |