diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-06-30 14:21:51 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-01 03:55:00 +0200 |
commit | f3c3768d30410de8b0cc8b2ef078640bdc0864d4 (patch) | |
tree | d9e31e3ade9aefdea99c47e251c923785b5391f3 /source4/dsdb/samdb/ldb_modules/acl.c | |
parent | f1b1a66615bfceb4d53c11140aceba2412d0ec37 (diff) | |
download | samba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.tar.gz samba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.tar.bz2 samba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.zip |
s4-dsdb guard principalName parse for invalid inputs
We need to ensure that if this parses name.name_string as just one
val, then we don't read uninitialised and possibly unallocated memory.
Found by Adam Thorn <alt36@cam.ac.uk>
While we are checking that, we need to fix the strncasecmp() check to
first check if the string is the expected length, then check for a
match against sAMAccountName-without-doller, as otherwise we will
permit a string such as machinefoo to match a sAMAccountName of
machine.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/acl.c')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 98bf43d21e..49152d418a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -477,6 +477,10 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, return LDB_ERR_CONSTRAINT_VIOLATION; } + if (principal->name.name_string.len < 2) { + goto fail; + } + instanceName = principal->name.name_string.val[1]; serviceType = principal->name.name_string.val[0]; realm = krb5_principal_get_realm(krb_ctx, principal); @@ -509,7 +513,8 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, } /* instanceName can be samAccountName without $ or dnsHostName * or "ntds_guid._msdcs.forest_domain for DC objects */ - if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) { + if (strlen(instanceName) == (strlen(samAccountName) - 1) + && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) { goto success; } else if (strcasecmp(instanceName, dnsHostName) == 0) { goto success; |