From: Douglas Bagnall Date: Thu, 9 Nov 2023 23:11:24 +0000 (+1300) Subject: libcli/security:sddl_decode message offset safety latch X-Git-Tag: talloc-2.4.2~693 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=609965b6ea0f33016c13e431fe658c07983b4d9f;p=thirdparty%2Fsamba.git libcli/security:sddl_decode message offset safety latch the message offset is largely calculated using the differences between pointers in many places scattered throughout the code. If we got one of these wrong, we could easily have a SIZE_MAX-ish offset, which would be unfortunate if we came decided to display the offset using spaces. We can sanely limit the offset to the length of the SDDL. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 898725bd4cd..2cad84a937a 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -963,6 +963,18 @@ failed: * offset at least provides a clue. */ *msg_offset += sddl - start; + + if (*msg_offset > strlen(sddl)) { + /* + * It's not that we *don't* trust our pointer difference + * arithmetic, just that we *shouldn't*. Let's render it + * harmless, before Python tries printing 18 quadrillion + * spaces. + */ + DBG_WARNING("sddl error message offset %zu is too big\n", + *msg_offset); + *msg_offset = 0; + } DEBUG(2,("Badly formatted SDDL '%s'\n", sddl)); talloc_free(sd); return NULL;