diff options
author | Andrew Bartlett <abartlet@samba.org> | 2016-06-27 12:35:24 +1200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-07-28 10:06:12 +0200 |
commit | eeb594ce935190551d7d71812edef8ba506cd5d6 (patch) | |
tree | 38cef6e0e0baf54cc73675246c588e787075bcd5 /source4/dsdb/common/util.c | |
parent | b8335f6011fabe563cb238a17d6313068d39ce93 (diff) | |
download | samba-eeb594ce935190551d7d71812edef8ba506cd5d6.tar.gz |
dsdb: Limit potential stack use when parsing extended DNs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source4/dsdb/common/util.c')
-rw-r--r-- | source4/dsdb/common/util.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 0bbf4022523..448b20ae040 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3720,7 +3720,10 @@ NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const cha return NT_STATUS_OBJECT_NAME_NOT_FOUND; } - { + /* Just check we don't allow the caller to fill our stack */ + if (v->length >= 64) { + return NT_STATUS_INVALID_PARAMETER; + } else { char s[v->length+1]; memcpy(s, v->data, v->length); s[v->length] = 0; @@ -3750,7 +3753,10 @@ NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const cha return NT_STATUS_OBJECT_NAME_NOT_FOUND; } - { + /* Just check we don't allow the caller to fill our stack */ + if (v->length >= 32) { + return NT_STATUS_INVALID_PARAMETER; + } else { char s[v->length + 1]; memcpy(s, v->data, v->length); s[v->length] = 0; @@ -3790,13 +3796,13 @@ NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const */ uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn) { - const struct ldb_val *v; - char buf[32]; - v = ldb_dn_get_extended_component(dn, "RMD_FLAGS"); - if (!v || v->length > sizeof(buf)-1) return 0; - strncpy(buf, (const char *)v->data, v->length); - buf[v->length] = 0; - return strtoul(buf, NULL, 10); + uint32_t rmd_flags = 0; + NTSTATUS status = dsdb_get_extended_dn_uint32(dn, &rmd_flags, + "RMD_FLAGS"); + if (NT_STATUS_IS_OK(status)) { + return rmd_flags; + } + return 0; } /* |