From: Joseph Sutton Date: Mon, 3 May 2021 04:16:51 +0000 (+1200) Subject: libsmb: Avoid undefined behaviour when parsing whoami state X-Git-Tag: tevent-0.11.0~810 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb;p=thirdparty%2Fsamba.git libsmb: Avoid undefined behaviour when parsing whoami state If num_gids is such that the gids array would overflow the rdata buffer, 'p + 8' could produce a result pointing outside the buffer, and thus result in undefined behaviour. To avoid this, we check num_gids against the size of the buffer beforehand. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 135a77f2312..8ec74d191be 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -661,6 +661,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) state->num_gids = IVAL(rdata, 24); state->num_sids = IVAL(rdata, 28); + /* Ensure the gid array doesn't overflow */ + if (state->num_gids > (num_rdata - 40) / sizeof(uint64_t)) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->gids = talloc_array(state, uint64_t, state->num_gids); if (tevent_req_nomem(state->gids, req)) { return; @@ -673,11 +680,6 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) p = rdata + 40; for (i = 0; i < state->num_gids; i++) { - if (p + 8 > rdata + num_rdata) { - tevent_req_nterror(req, - NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } state->gids[i] = BVAL(p, 0); p += 8; }