From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 11 Apr 2023 23:39:25 +0000 (+1200)
Subject: libcli/security: avoid overflow in subauths
X-Git-Tag: talloc-2.4.1~839
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67ff4ca200e69a112afa3a25362da707e00732e6;p=thirdparty%2Fsamba.git

libcli/security: avoid overflow in subauths

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 6cf7cc4d6d8..d0f90c29a79 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -204,7 +204,15 @@ bool dom_sid_parse_endp(const char *sidstr,struct dom_sid *sidout,
 		}
 
 		conv = smb_strtoull(q, &end, 10, &error, SMB_STR_STANDARD);
-		if (conv > UINT32_MAX || error != 0) {
+		if (conv > UINT32_MAX || error != 0 || end - q > 12) {
+			/*
+			 * This sub-auth is greater than 4294967295,
+			 * and hence invalid. Windows will treat it as
+			 * 4294967295, while we prefer to refuse (old
+			 * versions of Samba will wrap, arriving at
+			 * another number altogether).
+                         */
+			DBG_NOTICE("bad sub-auth in %s\n", sidstr);
 			goto format_error;
 		}
 
diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
index 3859b8a50dd..5392e54deaf 100644
--- a/selftest/knownfail.d/sid-strings
+++ b/selftest/knownfail.d/sid-strings
@@ -72,6 +72,7 @@
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-22.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-281474976710656-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-0x20-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-20-00000000000243.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-3.2-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-32--579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_S-1-5-32-.579.ad_dc
@@ -87,5 +88,6 @@
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-0xABcDef123-0xABCDef-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-22.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-5-0x20-579.ad_dc
+^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_S-1-5-20-00000000000243.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_internal_s-1-5-32-579.ad_dc
 ^samba.tests.sid_strings.+.SidStringsThatStartWithS.test_sid_string_s-1-5-32-579.ad_dc