mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
cliquota: some security hardening
Add some checks for validity of the offset in the return buffer. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
621d7b41d9
commit
72c773c9c2
@ -73,11 +73,18 @@ bool parse_user_quota_record(const uint8_t *rdata,
|
|||||||
|
|
||||||
/* sid len */
|
/* sid len */
|
||||||
sid_len = IVAL(rdata,4);
|
sid_len = IVAL(rdata,4);
|
||||||
|
if (40 + sid_len < 40) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (rdata_count < 40+sid_len) {
|
if (rdata_count < 40+sid_len) {
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*offset != 0 && *offset < 40 + sid_len) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/* unknown 8 bytes in pdata
|
/* unknown 8 bytes in pdata
|
||||||
* maybe its the change time in NTTIME
|
* maybe its the change time in NTTIME
|
||||||
*/
|
*/
|
||||||
@ -260,10 +267,9 @@ static NTSTATUS cli_list_user_quota_step(struct cli_state *cli,
|
|||||||
status = NT_STATUS_NO_MORE_ENTRIES;
|
status = NT_STATUS_NO_MORE_ENTRIES;
|
||||||
}
|
}
|
||||||
|
|
||||||
offset = 1;
|
curdata = rdata;
|
||||||
for (curdata=rdata,curdata_count=rdata_count;
|
curdata_count = rdata_count;
|
||||||
((curdata)&&(curdata_count>=8)&&(offset>0));
|
while (true) {
|
||||||
curdata +=offset,curdata_count -= offset) {
|
|
||||||
ZERO_STRUCT(qt);
|
ZERO_STRUCT(qt);
|
||||||
if (!parse_user_quota_record((const uint8_t *)curdata, curdata_count,
|
if (!parse_user_quota_record((const uint8_t *)curdata, curdata_count,
|
||||||
&offset, &qt)) {
|
&offset, &qt)) {
|
||||||
@ -286,6 +292,25 @@ static NTSTATUS cli_list_user_quota_step(struct cli_state *cli,
|
|||||||
tmp_list_ent->mem_ctx = mem_ctx;
|
tmp_list_ent->mem_ctx = mem_ctx;
|
||||||
|
|
||||||
DLIST_ADD((*pqt_list),tmp_list_ent);
|
DLIST_ADD((*pqt_list),tmp_list_ent);
|
||||||
|
|
||||||
|
if (offset > curdata_count) {
|
||||||
|
DEBUG(1, ("out of bounds offset in quota record\n"));
|
||||||
|
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (curdata + offset < curdata) {
|
||||||
|
DEBUG(1, ("Pointer overflow in quota record\n"));
|
||||||
|
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
curdata += offset;
|
||||||
|
curdata_count -= offset;
|
||||||
|
|
||||||
|
if (offset == 0) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
Loading…
Reference in New Issue
Block a user