[PATCH] Do not leave random talloc magic in free()'ed memory, fix abort message
jra at samba.org
Wed Jan 17 16:59:07 UTC 2018
On Wed, Jan 17, 2018 at 10:14:32AM +0100, Volker Lendecke via samba-technical wrote:
> On Wed, Jan 17, 2018 at 09:33:59PM +1300, Andrew Bartlett via samba-technical wrote:
> > In the context of DEBUG(), the attack is described here:
> > https://www.owasp.org/index.php/Log_Injection
> > For that reason, we took care to write and use log_escape() in the auth
> > audit code. It is declared here:
> > lib/util/util_str_escape.c:char *log_escape(TALLOC_CTX *frame, const
> > char *in)
> > The list of 'bad' characters could potentially be extended.
> > I don't know and didn't assert that printf("%s", untrusted) is itself
> > unsafe, beyond the above I would see the main risk as being a SIGSEGV
> > if the attacker can control the NUL termination.
> Doing that manually is the wrong layer. We should do that directly in
> DEBUG(). I know this essentially means writing our own printf, but
> relying on everybody to correcly escape what's going into
> %s is not going to work.
Sorry I kicked this can of worms :-). I think we're no worse
than we were with the current fix in talloc. It used debug
before, and uses debug now.
This is something we can allow our paranoia to mildly worry
about :-), but not take drastic action on IMHO.
More information about the samba-technical