summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-12-20 12:05:48 +1100
committerAndrew Bartlett <abartlet@samba.org>2008-12-20 14:44:39 +1100
commit18c095e5d86d1353eff8aea1b641968d504b6c80 (patch)
tree6ce4f3558030d24fd7e3c7c1e2c148cbbea13874
parent6488afaafe028ad2deba03517294b577ea3b4167 (diff)
downloadsamba-18c095e5d86d1353eff8aea1b641968d504b6c80.tar.gz
samba-18c095e5d86d1353eff8aea1b641968d504b6c80.tar.bz2
samba-18c095e5d86d1353eff8aea1b641968d504b6c80.zip
Don't trust sscanf not to run off the end of the string
The memory allocations here are wasteful, but they do nicely ensure we cannot walk off the end of the DATA_BLOB that might be a string, or might be binary and might not be NULL terminated. Andrew Bartlett
-rw-r--r--librpc/ndr/uuid.c49
1 files changed, 35 insertions, 14 deletions
diff --git a/librpc/ndr/uuid.c b/librpc/ndr/uuid.c
index aa24ac4494..2b47246806 100644
--- a/librpc/ndr/uuid.c
+++ b/librpc/ndr/uuid.c
@@ -36,6 +36,7 @@ _PUBLIC_ NTSTATUS GUID_from_data_blob(const DATA_BLOB *s, struct GUID *guid)
uint32_t clock_seq[2];
uint32_t node[6];
uint8_t buf16[16];
+
DATA_BLOB blob16 = data_blob_const(buf16, sizeof(buf16));
int i;
@@ -43,20 +44,40 @@ _PUBLIC_ NTSTATUS GUID_from_data_blob(const DATA_BLOB *s, struct GUID *guid)
return NT_STATUS_INVALID_PARAMETER;
}
- if (s->length == 36 &&
- 11 == sscanf((const char *)s->data,
- "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
- &time_low, &time_mid, &time_hi_and_version,
- &clock_seq[0], &clock_seq[1],
- &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
- status = NT_STATUS_OK;
- } else if (s->length == 38
- && 11 == sscanf((const char *)s->data,
- "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}",
- &time_low, &time_mid, &time_hi_and_version,
- &clock_seq[0], &clock_seq[1],
- &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
- status = NT_STATUS_OK;
+ if (s->length == 36) {
+ TALLOC_CTX *mem_ctx;
+ const char *string;
+
+ mem_ctx = talloc_new(NULL);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+ string = talloc_strndup(mem_ctx, (const char *)s->data, s->length);
+ NT_STATUS_HAVE_NO_MEMORY(string);
+ if (11 == sscanf(string,
+ "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+ &time_low, &time_mid, &time_hi_and_version,
+ &clock_seq[0], &clock_seq[1],
+ &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
+ status = NT_STATUS_OK;
+ }
+ talloc_free(mem_ctx);
+
+ } else if (s->length == 38) {
+ TALLOC_CTX *mem_ctx;
+ const char *string;
+
+ mem_ctx = talloc_new(NULL);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+ string = talloc_strndup(mem_ctx, (const char *)s->data, s->length);
+ NT_STATUS_HAVE_NO_MEMORY(string);
+ if (11 == sscanf((const char *)s->data,
+ "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}",
+ &time_low, &time_mid, &time_hi_and_version,
+ &clock_seq[0], &clock_seq[1],
+ &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
+ status = NT_STATUS_OK;
+ }
+ talloc_free(mem_ctx);
+
} else if (s->length == 32) {
size_t rlen = strhex_to_str((char *)blob16.data, blob16.length,
(const char *)s->data, s->length);