From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Oct 2024 17:33:47 +0000 (+0200)
Subject: s3:winbind: Fix heap buffer overflow in winbind
X-Git-Tag: tdb-1.4.13~854
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dfbd950a1d424e0bfbd69cee346d983fb5343d54;p=thirdparty%2Fsamba.git

s3:winbind: Fix heap buffer overflow in winbind

==36258==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51300000b096 at pc 0x7fb6b4880b46 bp 0x7ffc67d44b40 sp 0x7ffc67d44300
READ of size 1 at 0x51300000b096 thread T0
    #0 0x7fb6b4880b45 in strlen ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
    #1 0x560fe898cde3 in winbindd_wins_byip_done ../../source3/winbindd/winbindd_wins_byip.c:111
    #2 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #3 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #4 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #5 0x7fb6b1e24c80 in node_status_query_done ../../source3/libsmb/namequery.c:904
    #6 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #7 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #8 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #9 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
    #10 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #11 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #12 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #13 0x7fb6b1e270af in sock_packet_read_got_socket ../../source3/libsmb/namequery.c:537
    #14 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #17 0x7fb6b33db183 in tdgram_recvfrom_done ../../lib/tsocket/tsocket.c:240
    #18 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #19 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #20 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #21 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler ../../lib/tsocket/tsocket_bsd.c:1087
    #22 0x7fb6b33e0263 in tdgram_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:811
    #23 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #24 0x7fb6b4f0b185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #25 0x7fb6b4f0b185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #26 0x7fb6b4f037b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #27 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #28 0x560fe8a15198 in main ../../source3/winbindd/winbindd.c:1729
    #29 0x7fb6afe2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #30 0x7fb6afe2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #31 0x560fe89454e4 in _start ../sysdeps/x86_64/start.S:115

0x51300000b096 is located 12 bytes after 330-byte region [0x51300000af40,0x51300000b08a)
allocated by thread T0 here:
    #0 0x7fb6b48fc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fb6b3a64c57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7fb6b3a66acf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7fb6b3a66acf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7fb6b3a66acf in _talloc_array ../../lib/talloc/talloc.c:2784
    #5 0x7fb6b1e2b43e in parse_node_status ../../source3/libsmb/namequery.c:337
    #6 0x7fb6b1e2b43e in node_status_query_recv ../../source3/libsmb/namequery.c:921
    #7 0x560fe898cc4f in winbindd_wins_byip_done ../../source3/winbindd/winbindd_wins_byip.c:87
    #8 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #9 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #10 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #11 0x7fb6b1e24c80 in node_status_query_done ../../source3/libsmb/namequery.c:904
    #12 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #13 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #14 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #15 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
    #16 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #17 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #18 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #19 0x7fb6b1e270af in sock_packet_read_got_socket ../../source3/libsmb/namequery.c:537
    #20 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #23 0x7fb6b33db183 in tdgram_recvfrom_done ../../lib/tsocket/tsocket.c:240
    #24 0x7fb6b4ef8ae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #27 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler ../../lib/tsocket/tsocket_bsd.c:1087
    #28 0x7fb6b33e0263 in tdgram_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:811
    #29 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #30 0x7fb6b4f0b185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #31 0x7fb6b4f0b185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #32 0x7fb6b4f037b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #33 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
---

diff --git a/source3/winbindd/winbindd_wins_byip.c b/source3/winbindd/winbindd_wins_byip.c
index 1b9cdbcd7be..32b13ba3c0f 100644
--- a/source3/winbindd/winbindd_wins_byip.c
+++ b/source3/winbindd/winbindd_wins_byip.c
@@ -108,7 +108,8 @@ static void winbindd_wins_byip_done(struct tevent_req *subreq)
 
 		D_DEBUG("Got name '%s'.\n", names[i].name);
 
-		size = strlen(names[i].name + strlen(state->response));
+		/* len(name) + len(" ") + len(response) */
+		size = strlen(names[i].name) + 1 + strlen(state->response);
 		if (size > sizeof(state->response) - 1) {
 			D_WARNING("Too much data!\n");
 			tevent_req_nterror(req, STATUS_BUFFER_OVERFLOW);