[PATCH] Fix&cleanup for idmap_autorid

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Mar 6 15:54:52 UTC 2016


Hi!

Review appreciated!

Thanks, Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 08391ef16e9cf539a59ce5a8d946c00287850d0c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 6 Mar 2016 16:39:58 +0100
Subject: [PATCH 1/2] idmap_autorid: Fix a use-after-free

Parsing the domain_range_index references data.dptr

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/idmap_autorid.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index 76dccaa..3f6f20c 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -231,8 +231,8 @@ static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
 	}
 
 	ok = dom_sid_parse_endp((const char *)data.dptr, &domsid, &q);
-	TALLOC_FREE(data.dptr);
 	if (!ok) {
+		TALLOC_FREE(data.dptr);
 		map->status = ID_UNKNOWN;
 		return NT_STATUS_OK;
 	}
@@ -240,10 +240,13 @@ static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
 		if (sscanf(q+1, "%"SCNu32, &domain_range_index) != 1) {
 			DEBUG(10, ("Domain range index not found, "
 				   "ignoring mapping request\n"));
+			TALLOC_FREE(data.dptr);
 			map->status = ID_UNKNOWN;
 			return NT_STATUS_OK;
 		}
 
+	TALLOC_FREE(data.dptr);
+
 	reduced_rid = normalized_id % cfg->rangesize;
 	rid = reduced_rid + domain_range_index * cfg->rangesize;
 
-- 
1.7.9.5


From a1ae0c3368933136df9d0646a8a486068e125f5e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 10 Feb 2016 09:02:12 +0100
Subject: [PATCH 2/2] idmap_autorid: Protect against corrupt databases

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/idmap_autorid.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index 3f6f20c..20cd5b7 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -217,6 +217,13 @@ static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
 		return NT_STATUS_OK;
 	}
 
+	if (data.dptr[data.dsize-1] != '\0') {
+		DBG_WARNING("Invalid range %"PRIu32"\n", range_number);
+		TALLOC_FREE(data.dptr);
+		map->status = ID_UNKNOWN;
+		return NT_STATUS_OK;
+	}
+
 	if (strncmp((const char *)data.dptr,
 		    ALLOC_RANGE,
 		    strlen(ALLOC_RANGE)) == 0) {
-- 
1.7.9.5



More information about the samba-technical mailing list