mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:utils: Fix stack smashing in net offlinejoin
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8
==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
#0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
#1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
#2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
#3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
#4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
#5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
#6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ef8c8ac54c
)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Dec 6 12:02:00 UTC 2022 on sn-devel-184
This commit is contained in:
parent
885e3fc12d
commit
994464eee2
@ -237,7 +237,7 @@ int net_offlinejoin_requestodj(struct net_context *c,
|
||||
{
|
||||
NET_API_STATUS status;
|
||||
uint8_t *provision_bin_data = NULL;
|
||||
uint32_t provision_bin_data_size = 0;
|
||||
size_t provision_bin_data_size = 0;
|
||||
uint32_t options = NETSETUP_PROVISION_ONLINE_CALLER;
|
||||
const char *loadfile = NULL;
|
||||
const char *windows_path = NULL;
|
||||
@ -264,12 +264,17 @@ int net_offlinejoin_requestodj(struct net_context *c,
|
||||
#endif
|
||||
}
|
||||
|
||||
provision_bin_data = (uint8_t *)file_load(loadfile,
|
||||
(size_t *)&provision_bin_data_size, 0, c);
|
||||
provision_bin_data =
|
||||
(uint8_t *)file_load(loadfile, &provision_bin_data_size, 0, c);
|
||||
if (provision_bin_data == NULL) {
|
||||
d_printf("Failed to read loadfile: %s\n", loadfile);
|
||||
return -1;
|
||||
}
|
||||
if (provision_bin_data_size > UINT32_MAX) {
|
||||
d_printf("provision binary data size too big: %zu\n",
|
||||
provision_bin_data_size);
|
||||
return -1;
|
||||
}
|
||||
|
||||
status = NetRequestOfflineDomainJoin(provision_bin_data,
|
||||
provision_bin_data_size,
|
||||
|
Loading…
Reference in New Issue
Block a user