[CHECKER] Potentially very large allocation in malloc (PR#25986)

Andrew Bartlett abartlet at samba.org
Sat Nov 23 10:17:00 GMT 2002


> Full_Name: Russell Greene
> Samba_Version: 2.2.6
> Server_OS: N/A
> Client_OS: N/A
> Submission from: (NULL) (128.12.177.14)
> 
> 
> This is a potential bug found by a checker.  Please verify.
> 
> The variable "response" is read from the socket (thus has the potential to be
> tainted) and then is used to compute extra_data_len which is sent to malloc. 
> Since the value of extra_data_len is not range checked there is a potential
for
> very large allocations.
> 
> 
> [BUG] The reponse length can be set to something very large causing malloc to
> allocate huge memory
> /u1/rdg12/net/samba-2.2.6/source/nsswitch/wb_common.c:298:read_reply:
> ERROR:USER:292:298:passing needub data (*response).length to malloc
[SECURITY]
> [call overflow]

If winbindd wants to send us dud data, it could do far worse than asking us to
do a large malloc().  (Like grant all logins for root with no pw, set all users
to uid = 0...).

Andrew Bartlett

> 	response->extra_data = NULL;
> 
> 	/* Read variable length response */
> 	
> Start --->
> 	if (response->length > sizeof(struct winbindd_response)) {
> 		int extra_data_len = response->length - 
> 			sizeof(struct winbindd_response);
> 		
> 		/* Mallocate memory for extra data */
> 		
> Error --->
> 		if (!(response->extra_data = malloc(extra_data_len))) {
> 			return -1;
> 		}
> 
> 



More information about the samba-technical mailing list