1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

cliquota: some security hardening

Add some checks for validity of the offset in
the return buffer.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Uri Simchoni 2016-09-19 18:24:58 +03:00 committed by Jeremy Allison
parent 621d7b41d9
commit 72c773c9c2

View File

@ -73,11 +73,18 @@ bool parse_user_quota_record(const uint8_t *rdata,
/* sid len */ /* sid len */
sid_len = IVAL(rdata,4); sid_len = IVAL(rdata,4);
if (40 + sid_len < 40) {
return false;
}
if (rdata_count < 40+sid_len) { if (rdata_count < 40+sid_len) {
return False; return False;
} }
if (*offset != 0 && *offset < 40 + sid_len) {
return false;
}
/* unknown 8 bytes in pdata /* unknown 8 bytes in pdata
* maybe its the change time in NTTIME * maybe its the change time in NTTIME
*/ */
@ -260,10 +267,9 @@ static NTSTATUS cli_list_user_quota_step(struct cli_state *cli,
status = NT_STATUS_NO_MORE_ENTRIES; status = NT_STATUS_NO_MORE_ENTRIES;
} }
offset = 1; curdata = rdata;
for (curdata=rdata,curdata_count=rdata_count; curdata_count = rdata_count;
((curdata)&&(curdata_count>=8)&&(offset>0)); while (true) {
curdata +=offset,curdata_count -= offset) {
ZERO_STRUCT(qt); ZERO_STRUCT(qt);
if (!parse_user_quota_record((const uint8_t *)curdata, curdata_count, if (!parse_user_quota_record((const uint8_t *)curdata, curdata_count,
&offset, &qt)) { &offset, &qt)) {
@ -286,6 +292,25 @@ static NTSTATUS cli_list_user_quota_step(struct cli_state *cli,
tmp_list_ent->mem_ctx = mem_ctx; tmp_list_ent->mem_ctx = mem_ctx;
DLIST_ADD((*pqt_list),tmp_list_ent); DLIST_ADD((*pqt_list),tmp_list_ent);
if (offset > curdata_count) {
DEBUG(1, ("out of bounds offset in quota record\n"));
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto cleanup;
}
if (curdata + offset < curdata) {
DEBUG(1, ("Pointer overflow in quota record\n"));
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto cleanup;
}
curdata += offset;
curdata_count -= offset;
if (offset == 0) {
break;
}
} }
cleanup: cleanup: