libcli/security: avoid overflow in subauths

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 6cf7cc4d6d832d7409118c7d5f36e1f6e42cd3b9..d0f90c29a798acc04b852d95e669ccdc074998c3 100644 (file)
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -204,7 +204,15 @@ bool dom_sid_parse_endp(const char *sidstr,struct dom_sid *sidout,
                }
 
                conv = smb_strtoull(q, &end, 10, &error, SMB_STR_STANDARD);
-               if (conv > UINT32_MAX || error != 0) {
+               if (conv > UINT32_MAX || error != 0 || end - q > 12) {
+                       /*
+                        * This sub-auth is greater than 4294967295,
+                        * and hence invalid. Windows will treat it as
+                        * 4294967295, while we prefer to refuse (old
+                        * versions of Samba will wrap, arriving at
+                        * another number altogether).
+                         */
+                       DBG_NOTICE("bad sub-auth in %s\n", sidstr);
                        goto format_error;
                }
 

diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
index 3859b8a50dd3f61b31c47c4c7d1d0ca968ee8357..5392e54deafb5d11b9990cfd1f349be2a4825607 100644 (file)
--- a/selftest/knownfail.d/sid-strings
+++ b/selftest/knownfail.d/sid-strings
@@ -72,6 +72,7 @@
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-22.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-281474976710656-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-0x20-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-20-00000000000243.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-3.2-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-32--579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-32-.579.ad_dc
@@ -87,5 +88,6 @@
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-0xABcDef123-0xABCDef-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-22.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-5-0x20-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-5-20-00000000000243.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_s-1-5-32-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_s-1-5-32-579.ad_dc