Description: fix denial of service and possible arbitrary code execution via large number of SID sub authorities Bug: https://bugzilla.samba.org/show_bug.cgi?id=7669 Author: Andrew Bartlett and Jeremy Allison diff -Nur samba-3.0.28a/source/lib/util_sid.c samba-3.0.28a.new/source/lib/util_sid.c --- samba-3.0.28a/source/lib/util_sid.c 2008-03-08 10:33:34.000000000 -0500 +++ samba-3.0.28a.new/source/lib/util_sid.c 2010-09-09 11:09:42.000000000 -0400 @@ -403,6 +403,9 @@ sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); + if (sid->num_auths > MAXSUBAUTHS) { + return false; + } memcpy(sid->id_auth, inbuf+2, 6); if (len < 8 + sid->num_auths*4) return False; diff -Nur samba-3.0.28a/source/libads/ldap.c samba-3.0.28a.new/source/libads/ldap.c --- samba-3.0.28a/source/libads/ldap.c 2008-03-08 10:33:35.000000000 -0500 +++ samba-3.0.28a.new/source/libads/ldap.c 2010-09-09 11:09:42.000000000 -0400 @@ -1722,7 +1722,9 @@ int i; for (i=0; values[i]; i++) { DOM_SID sid; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + return; + } printf("%s: %s\n", field, sid_string_static(&sid)); } } diff -Nur samba-3.0.28a/source/libsmb/cliquota.c samba-3.0.28a.new/source/libsmb/cliquota.c --- samba-3.0.28a/source/libsmb/cliquota.c 2008-03-08 10:33:35.000000000 -0500 +++ samba-3.0.28a.new/source/libsmb/cliquota.c 2010-09-09 11:09:42.000000000 -0400 @@ -117,7 +117,9 @@ } #endif /* LARGE_SMB_OFF_T */ - sid_parse(rdata+40,sid_len,&qt.sid); + if (!sid_parse(rdata+40,sid_len,&qt.sid)) { + return False; + } qt.qtype = SMB_USER_QUOTA_TYPE; diff -Nur samba-3.0.28a/source/smbd/nttrans.c samba-3.0.28a.new/source/smbd/nttrans.c --- samba-3.0.28a/source/smbd/nttrans.c 2008-03-08 10:33:36.000000000 -0500 +++ samba-3.0.28a.new/source/smbd/nttrans.c 2010-09-09 11:09:42.000000000 -0400 @@ -2424,7 +2424,10 @@ /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2662,7 +2665,9 @@ break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2828,7 +2833,9 @@ } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } DEBUGADD(8,("SID: %s\n",sid_string_static(&sid))); /* 44 unknown bytes left... */