diff options
author | Jeremy Allison <jra@samba.org> | 2013-11-07 21:40:55 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
commit | 0dc618189469bf389a583eb346ddc6acaad1c644 (patch) | |
tree | c2a788305792a22c554009077b5ffc9695bd5bbd /source4/winbind | |
parent | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (diff) | |
download | samba-0dc618189469bf389a583eb346ddc6acaad1c644.tar.gz |
CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4/winbind')
-rw-r--r-- | source4/winbind/wb_async_helpers.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c index e3de2eb38ea..2a05f124656 100644 --- a/source4/winbind/wb_async_helpers.c +++ b/source4/winbind/wb_async_helpers.c @@ -285,6 +285,12 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq) return; } + if (state->sids.count != state->num_names) { + composite_error(state->ctx, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->result = talloc_array(state, struct wb_sid_object *, state->num_names); if (composite_nomem(state->result, state->ctx)) return; @@ -303,9 +309,14 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq) continue; } + if (domains == NULL) { + composite_error(state->ctx, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } if (sid->sid_index >= domains->count) { composite_error(state->ctx, - NT_STATUS_INVALID_PARAMETER); + NT_STATUS_INVALID_NETWORK_RESPONSE); return; } |