[PATCH] Do not leave random talloc magic in free()'ed memory, fix abort message

Andrew Bartlett abartlet at samba.org
Wed Jan 17 08:33:59 UTC 2018

On Wed, 2018-01-17 at 08:30 +0100, Volker Lendecke via samba-technical
> On Wed, Jan 17, 2018 at 07:23:59AM +1300, Andrew Bartlett via samba-technical wrote:
> > Gary started to filter some untrusted strings when doing the auth audit
> > work (the *new* messages get the usernames etc encoded if not ASCII)
> > but what I'm saying is that every other DEBUG(0, ...), DEBUG(1, ...) et
> > al that uses %s on untrusted user-supplied data is the same threat.
> You're saying that printf("%s",untrusted); is unsafe? What's the
> alternative? Along that line: How do we untaint data for Coverity?

In the context of DEBUG(), the attack is described here:


For that reason, we took care to write and use log_escape() in the auth
audit code.  It is declared here:

lib/util/util_str_escape.c:char *log_escape(TALLOC_CTX *frame, const
char *in)

The list of 'bad' characters could potentially be extended.

I don't know and didn't assert that printf("%s", untrusted) is itself
unsafe, beyond the above I would see the main risk as being a SIGSEGV
if the attacker can control the NUL termination.


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list