[SCM] Samba Shared Repository - branch v4-16-test updated

Tue Dec 6 12:02:02 UTC 2022

The branch, v4-16-test has been updated
       via  994464eee20 s3:utils: Fix stack smashing in net offlinejoin
      from  885e3fc12de smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test


- Log -----------------------------------------------------------------
commit 994464eee20aa6d2bba6f6e780d868d1a058d8bb
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Dec 5 11:18:10 2022 +0100

    s3:utils: Fix stack smashing in net offlinejoin
    
    Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
    'unsigned long *') increases required alignment from 4 to 8
    
    ==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
    WRITE of size 8 at 0x7ffdc6784fc0 thread T0
        #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
        #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
        #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
        #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
        #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
        #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
        #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
        #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit ef8c8ac54cdf75ca4333223c1f3e580e31efca92)
    
    Autobuild-User(v4-16-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-16-test): Tue Dec  6 12:02:00 UTC 2022 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/utils/net_offlinejoin.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c
index ef56ba9fce8..03e5df0eace 100644
--- a/source3/utils/net_offlinejoin.c
+++ b/source3/utils/net_offlinejoin.c
@@ -237,7 +237,7 @@ int net_offlinejoin_requestodj(struct net_context *c,
 {
 	NET_API_STATUS status;
 	uint8_t *provision_bin_data = NULL;
-	uint32_t provision_bin_data_size = 0;
+	size_t provision_bin_data_size = 0;
 	uint32_t options = NETSETUP_PROVISION_ONLINE_CALLER;
 	const char *loadfile = NULL;
 	const char *windows_path = NULL;
@@ -264,12 +264,17 @@ int net_offlinejoin_requestodj(struct net_context *c,
 #endif
 	}
 
-	provision_bin_data = (uint8_t *)file_load(loadfile,
-			(size_t *)&provision_bin_data_size, 0, c);
+	provision_bin_data =
+		(uint8_t *)file_load(loadfile, &provision_bin_data_size, 0, c);
 	if (provision_bin_data == NULL) {
 		d_printf("Failed to read loadfile: %s\n", loadfile);
 		return -1;
 	}
+	if (provision_bin_data_size > UINT32_MAX) {
+		d_printf("provision binary data size too big: %zu\n",
+			 provision_bin_data_size);
+		return -1;
+	}
 
 	status = NetRequestOfflineDomainJoin(provision_bin_data,
 					     provision_bin_data_size,


-- 
Samba Shared Repository

