summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules/acl.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-06-30 14:21:51 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-07-01 03:55:00 +0200
commitf3c3768d30410de8b0cc8b2ef078640bdc0864d4 (patch)
treed9e31e3ade9aefdea99c47e251c923785b5391f3 /source4/dsdb/samdb/ldb_modules/acl.c
parentf1b1a66615bfceb4d53c11140aceba2412d0ec37 (diff)
downloadsamba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.tar.gz
samba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.tar.bz2
samba-f3c3768d30410de8b0cc8b2ef078640bdc0864d4.zip
s4-dsdb guard principalName parse for invalid inputs
We need to ensure that if this parses name.name_string as just one val, then we don't read uninitialised and possibly unallocated memory. Found by Adam Thorn <alt36@cam.ac.uk> While we are checking that, we need to fix the strncasecmp() check to first check if the string is the expected length, then check for a match against sAMAccountName-without-doller, as otherwise we will permit a string such as machinefoo to match a sAMAccountName of machine. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/acl.c')
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 98bf43d21e..49152d418a 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -477,6 +477,10 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ if (principal->name.name_string.len < 2) {
+ goto fail;
+ }
+
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
realm = krb5_principal_get_realm(krb_ctx, principal);
@@ -509,7 +513,8 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
}
/* instanceName can be samAccountName without $ or dnsHostName
* or "ntds_guid._msdcs.forest_domain for DC objects */
- if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
+ if (strlen(instanceName) == (strlen(samAccountName) - 1)
+ && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
goto success;
} else if (strcasecmp(instanceName, dnsHostName) == 0) {
goto success;