From 609965b6ea0f33016c13e431fe658c07983b4d9f Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 10 Nov 2023 12:11:24 +1300 Subject: [PATCH] libcli/security:sddl_decode message offset safety latch the message offset is largely calculated using the differences between pointers in many places scattered throughout the code. If we got one of these wrong, we could easily have a SIZE_MAX-ish offset, which would be unfortunate if we came decided to display the offset using spaces. We can sanely limit the offset to the length of the SDDL. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- libcli/security/sddl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 898725bd4cd..2cad84a937a 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -963,6 +963,18 @@ failed: * offset at least provides a clue. */ *msg_offset += sddl - start; + + if (*msg_offset > strlen(sddl)) { + /* + * It's not that we *don't* trust our pointer difference + * arithmetic, just that we *shouldn't*. Let's render it + * harmless, before Python tries printing 18 quadrillion + * spaces. + */ + DBG_WARNING("sddl error message offset %zu is too big\n", + *msg_offset); + *msg_offset = 0; + } DEBUG(2,("Badly formatted SDDL '%s'\n", sddl)); talloc_free(sd); return NULL; -- 2.47.3