[PATCH] Do not leave random talloc magic in free()'ed memory, fix abort message
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Jan 17 09:14:32 UTC 2018
On Wed, Jan 17, 2018 at 09:33:59PM +1300, Andrew Bartlett via samba-technical wrote:
> In the context of DEBUG(), the attack is described here:
>
> https://www.owasp.org/index.php/Log_Injection
>
> For that reason, we took care to write and use log_escape() in the auth
> audit code. It is declared here:
>
> lib/util/util_str_escape.c:char *log_escape(TALLOC_CTX *frame, const
> char *in)
>
> The list of 'bad' characters could potentially be extended.
>
> I don't know and didn't assert that printf("%s", untrusted) is itself
> unsafe, beyond the above I would see the main risk as being a SIGSEGV
> if the attacker can control the NUL termination.
Doing that manually is the wrong layer. We should do that directly in
DEBUG(). I know this essentially means writing our own printf, but
relying on everybody to correcly escape what's going into
%s is not going to work.
Volker
--
Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier: http://veriniceXP.org
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list