1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00
samba-mirror/source3/winbindd
Andreas Schneider dfbd950a1d s3:winbind: Fix heap buffer overflow in winbind
==36258==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51300000b096 at pc 0x7fb6b4880b46 bp 0x7ffc67d44b40 sp 0x7ffc67d44300
READ of size 1 at 0x51300000b096 thread T0
    #0 0x7fb6b4880b45 in strlen ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
    #1 0x560fe898cde3 in winbindd_wins_byip_done ../../source3/winbindd/winbindd_wins_byip.c:111
    #2 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #3 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #4 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #5 0x7fb6b1e24c80 in node_status_query_done ../../source3/libsmb/namequery.c:904
    #6 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #7 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #8 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #9 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
    #10 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #11 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #12 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #13 0x7fb6b1e270af in sock_packet_read_got_socket ../../source3/libsmb/namequery.c:537
    #14 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #17 0x7fb6b33db183 in tdgram_recvfrom_done ../../lib/tsocket/tsocket.c:240
    #18 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #19 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #20 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #21 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler ../../lib/tsocket/tsocket_bsd.c:1087
    #22 0x7fb6b33e0263 in tdgram_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:811
    #23 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #24 0x7fb6b4f0b185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #25 0x7fb6b4f0b185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #26 0x7fb6b4f037b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #27 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #28 0x560fe8a15198 in main ../../source3/winbindd/winbindd.c:1729
    #29 0x7fb6afe2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #30 0x7fb6afe2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #31 0x560fe89454e4 in _start ../sysdeps/x86_64/start.S:115

0x51300000b096 is located 12 bytes after 330-byte region [0x51300000af40,0x51300000b08a)
allocated by thread T0 here:
    #0 0x7fb6b48fc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fb6b3a64c57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7fb6b3a66acf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7fb6b3a66acf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7fb6b3a66acf in _talloc_array ../../lib/talloc/talloc.c:2784
    #5 0x7fb6b1e2b43e in parse_node_status ../../source3/libsmb/namequery.c:337
    #6 0x7fb6b1e2b43e in node_status_query_recv ../../source3/libsmb/namequery.c:921
    #7 0x560fe898cc4f in winbindd_wins_byip_done ../../source3/winbindd/winbindd_wins_byip.c:87
    #8 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #9 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #10 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #11 0x7fb6b1e24c80 in node_status_query_done ../../source3/libsmb/namequery.c:904
    #12 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #13 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #14 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #15 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
    #16 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #17 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #18 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #19 0x7fb6b1e270af in sock_packet_read_got_socket ../../source3/libsmb/namequery.c:537
    #20 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #23 0x7fb6b33db183 in tdgram_recvfrom_done ../../lib/tsocket/tsocket.c:240
    #24 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #27 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler ../../lib/tsocket/tsocket_bsd.c:1087
    #28 0x7fb6b33e0263 in tdgram_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:811
    #29 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #30 0x7fb6b4f0b185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #31 0x7fb6b4f0b185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #32 0x7fb6b4f037b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #33 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-10-24 10:54:37 +00:00
..
idmap_hash s3:winbindd: Add zero digit to literal 2023-09-14 21:35:29 +00:00
idmap_ad_nss.c s3:winbind: Pass a memory context to ads_idmap_cached_connection() 2022-06-27 15:50:29 +00:00
idmap_ad.c s3:winbind: Fix idmap_ad creating an invalid local krb5.conf 2024-06-04 19:49:36 +00:00
idmap_autorid_tdb.c s3: winbindd: assign rangenum member after NULL check 2024-02-22 10:57:38 +00:00
idmap_autorid.c idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain 2023-03-10 10:38:37 +00:00
idmap_ldap.c s3:winbindd: Add missing newlines to logging messages 2023-08-08 04:39:38 +00:00
idmap_nss.c idmap_nss: Install a messaging filter to reload the configuration 2023-12-13 15:07:38 +00:00
idmap_passdb.c idmap:fix whitespace 2023-08-14 19:53:37 +00:00
idmap_proto.h
idmap_rfc2307.c s3: Zero memory of idmap_fetch_secret() users 2022-08-26 07:59:32 +00:00
idmap_rid.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
idmap_rw.c winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE 2020-10-23 03:25:37 +00:00
idmap_rw.h
idmap_script.c idmap_script: Save a few lines with str_list_add_printf() 2021-10-08 19:28:31 +00:00
idmap_tdb2.c idmap: Fix whitespace 2023-08-14 19:53:37 +00:00
idmap_tdb_common.c winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE 2020-10-23 03:25:37 +00:00
idmap_tdb_common.h
idmap_tdb.c idmap_tdb: Remove a variable never used 2023-08-14 19:53:37 +00:00
idmap_util.c
idmap.c winbind: Add idmap_config_string_list() 2023-03-29 17:55:50 +00:00
nss_info_template.c
nss_info.c s3: winbindd: remove double initialization 2024-02-22 09:47:44 +00:00
wb_alias_members.c s3:winbind: Add wb_alias_members_{send/recv} 2023-06-13 12:15:32 +00:00
wb_dsgetdcname.c wb_dsgetdcname: don't use stack variables for async code 2023-07-02 17:42:56 +00:00
wb_getgrsid.c s3:winbind: s/wb_group_members_send/wb_alias_members_send/ for SID_NAME_ALIAS in wb_getgrsid_sid2gid_done() 2023-06-13 12:15:32 +00:00
wb_getpwsid.c s3:winbind: Improve logging in wb_getpwsid.c 2022-07-15 14:25:38 +00:00
wb_gettoken.c s3:winbind: Add additional debug level check to wb_gettoken_recv() 2022-07-21 13:47:31 +00:00
wb_group_members.c s3:winbind: Convert wb_group_members_send() to resolve array of groups 2023-06-13 12:15:32 +00:00
wb_lookupname.c s3:winbind: Improve logging in wb_lookupname.c 2022-07-15 14:25:38 +00:00
wb_lookupsid.c s3:winbind: Improve logging in wb_lookupsid.c 2022-07-15 14:25:38 +00:00
wb_lookupsids.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
wb_lookupuseraliases.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in wb_lookupuseraliases.c 2022-07-21 13:47:31 +00:00
wb_lookupusergroups.c s3/winbindd: Fix bad access to sid array (with debug level >= info) 2022-08-31 15:07:31 +00:00
wb_next_grent.c s3:winbind: Improve logging in wb_next_grent.c 2022-07-15 14:25:38 +00:00
wb_next_pwent.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in wb_next_pwent.c 2022-07-21 13:47:31 +00:00
wb_query_group_list.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in wb_query_group_list.c 2022-07-21 13:47:31 +00:00
wb_query_user_list.c winbind: Fix a typo 2023-06-16 16:14:30 +00:00
wb_queryuser.c s4:torture: Skip test_membership_user for users that get incorrectly assigned group sid 2023-06-13 12:15:32 +00:00
wb_seqnum.c
wb_seqnums.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
wb_sids2xids.c s3:winbind: Move tevent_req_create() before debug macros to have the right call depth 2023-01-26 14:10:36 +00:00
wb_xids2sids.c winbind: Fix the 32-bit build 2022-07-23 23:29:38 +00:00
winbindd_ads.c s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c 2024-05-14 10:18:31 +00:00
winbindd_ads.h s3:winbind: Pass a memory context to ads_idmap_cached_connection() 2022-06-27 15:50:29 +00:00
winbindd_allocate_gid.c winbindd: Fix a startup race with allocate_gid 2021-03-24 20:31:30 +00:00
winbindd_allocate_uid.c winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() 2021-09-02 15:20:06 +00:00
winbindd_cache.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_ccache_access.c winbind: Modernize a few DEBUGs 2024-06-04 07:11:35 +00:00
winbindd_change_machine_acct.c winbindd: add dcname arg to ChangeMachineAccount request 2022-12-21 19:10:35 +00:00
winbindd_check_machine_acct.c
winbindd_cm.c s3:winbindd: let store_current_dc_in_gencache() take the dcaddr directly 2024-10-01 11:01:34 +00:00
winbindd_cred_cache.c lib: Remove timeval_set() 2024-03-22 06:07:42 +00:00
winbindd_creds.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
winbindd_domain_info.c s3:winbindd: it's 2024 and all AD domains should be native now 2024-10-01 09:53:32 +00:00
winbindd_domain.c s3:winbindd: Use a correct value for the length of domain children 2023-08-30 12:42:29 +00:00
winbindd_dsgetdcname.c s3:winbind: Improve logging in winbindd_dsgetdcname.c 2022-07-15 14:25:38 +00:00
winbindd_dual_ndr.c s3:winbindd: implement wbint_bh_get_binding() in winbindd_dual_ndr.c 2024-09-26 15:22:45 +00:00
winbindd_dual_srv.c s3:winbindd: it's 2024 and all AD domains should be native now 2024-10-01 09:53:32 +00:00
winbindd_dual.c s3:winbindd: it's 2024 and all AD domains should be native now 2024-10-01 09:53:32 +00:00
winbindd_endgrent.c s3:winbind: Improve logging in winbindd_endgrent.c 2022-07-15 14:25:38 +00:00
winbindd_endpwent.c s3:winbind: Improve logging in winbindd_endpwent.c 2022-07-15 14:25:38 +00:00
winbindd_getdcname.c s3:winbind: Improve logging in winbindd_getdcname.c 2022-07-15 14:25:38 +00:00
winbindd_getgrent.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_getgrent.c 2022-07-21 13:47:31 +00:00
winbindd_getgrgid.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_getgrgid.c 2022-07-21 13:47:31 +00:00
winbindd_getgrnam.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_getgroups.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_getpwent.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_getpwent.c 2022-07-21 13:47:31 +00:00
winbindd_getpwnam.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_getpwsid.c s3:winbind: Improve logging in winbindd_getpwsid.c 2022-07-15 14:25:38 +00:00
winbindd_getpwuid.c s3:winbind: Improve logging in winbindd_getpwuid.c 2022-07-15 14:25:38 +00:00
winbindd_getsidaliases.c s3:winbind: Add additional debug level check to winbindd_getsidaliases_send() 2022-07-21 13:47:31 +00:00
winbindd_getuserdomgroups.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_getuserdomgroups.c 2022-07-21 13:47:31 +00:00
winbindd_getusersids.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_getusersids.c 2022-07-21 13:47:31 +00:00
winbindd_gpupdate.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
winbindd_group.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
winbindd_idmap.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_irpc.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_list_groups.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_list_groups.c 2022-07-21 13:47:31 +00:00
winbindd_list_users.c s3:winbindd: Change the TALLOC_CTX to fix the tevent call depth tracking 2023-07-20 10:38:19 +00:00
winbindd_locator.c s3:winbind: talloc the static locator child 2023-12-13 15:07:38 +00:00
winbindd_lookupname.c s3:winbind: Improve logging in winbindd_lookupname.c 2022-07-15 14:25:38 +00:00
winbindd_lookuprids.c
winbindd_lookupsid.c
winbindd_lookupsids.c CVE-2020-14323 winbind: Fix invalid lookupsids DoS 2020-10-29 10:25:37 +00:00
winbindd_misc.c s3:winbind: Add callback winbind_call_flow() 2023-07-19 08:02:33 +00:00
winbindd_msrpc.c s3:winbindd: make use of dcerpc_binding_handle_get_transport() 2024-09-26 15:22:46 +00:00
winbindd_ndr.c s3:winbindd: it's 2024 and all AD domains should be native now 2024-10-01 09:53:32 +00:00
winbindd_pam_auth_crap.c CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks 2023-07-21 12:05:35 +00:00
winbindd_pam_auth.c s3/winbindd: in winbindd_pam_auth_send use canonicalize_username 2023-10-24 12:43:37 +00:00
winbindd_pam_chauthtok.c s3/winbindd: in winbindd_pam_chauthtok_send use canonicalize_username 2023-10-24 12:43:37 +00:00
winbindd_pam_chng_pswd_auth_crap.c s3:winbind: Convert winbindd_dual_pam_chng_pswd_auth_crap() from struct based to NDR based 2022-05-19 17:51:33 +00:00
winbindd_pam_logoff.c s3/winbindd: in winbindd_pam_logoff_send use canonicalize_username 2023-10-24 12:43:37 +00:00
winbindd_pam.c winbind: Modernize a few DEBUGs 2024-06-04 07:11:35 +00:00
winbindd_ping_dc.c
winbindd_proto.h s3:winbindd: make winbindd_get_trust_credentials() public 2024-05-14 10:18:31 +00:00
winbindd_reconnect_ads.c s3:winbind: Add lookup_aliasmem to winbindd_methods and implement it in all backends 2023-06-13 12:15:32 +00:00
winbindd_reconnect.c s3:winbind: Add lookup_aliasmem to winbindd_methods and implement it in all backends 2023-06-13 12:15:32 +00:00
winbindd_rpc.c s3:winbindd: make use of dcerpc_binding_handle_get_transport() 2024-09-26 15:22:46 +00:00
winbindd_rpc.h s3:winbind: Add lookup_aliasmem to winbindd_methods and implement it in all backends 2023-06-13 12:15:32 +00:00
winbindd_samr.c winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names 2024-07-26 10:06:31 +00:00
winbindd_setgrent.c s3:winbind: Improve logging in winbindd_setgrent.c 2022-07-15 14:25:38 +00:00
winbindd_setpwent.c s3:winbind: Improve logging in winbindd_setpwent.c 2022-07-15 14:25:38 +00:00
winbindd_show_sequence.c s3:winbindd: Fix code spelling 2023-07-19 09:58:37 +00:00
winbindd_sids_to_xids.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_sids_to_xids.c 2022-07-21 13:47:31 +00:00
winbindd_traceid.c s3:winbindd add "'winbind debug traceid" support via tevent tracing 2022-05-10 17:31:31 +00:00
winbindd_traceid.h s3:winbindd add "'winbind debug traceid" support via tevent tracing 2022-05-10 17:31:31 +00:00
winbindd_util.c s3:winbindd: let add_trusted_domain() mark domains as initialized when loaded from config 2024-10-01 09:53:32 +00:00
winbindd_wins_byip.c s3:winbind: Fix heap buffer overflow in winbind 2024-10-24 10:54:37 +00:00
winbindd_wins_byname.c winbind: Save an intermediate NULL check with talloc_asprintf_addbuf() 2022-12-14 04:32:34 +00:00
winbindd_xids_to_sids.c s3:winbind: Change '%u' to '%PRIu32' for uint32_t in winbindd_xids_to_sids.c 2022-07-21 13:47:31 +00:00
winbindd.c s3:winbindd: make use of samba_sockaddr to avoid compiler warnings 2024-05-14 10:18:31 +00:00
winbindd.h s3:winbindd: it's 2024 and all AD domains should be native now 2024-10-01 09:53:32 +00:00
wscript_build s3:winbind: Add wb_alias_members_{send/recv} 2023-06-13 12:15:32 +00:00