From e24974380d828a65e5e385b7aee1555a32f8401d Mon Sep 17 00:00:00 2001 From: Noel Power Date: Mon, 25 Sep 2023 14:27:25 +0100 Subject: [PATCH 1/5] s3/utils: Ensure we don't write beyond end of fstring BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 Signed-off-by: Noel Power --- source3/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index f0f7345d62f..14d0e06afef 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -393,7 +393,7 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, fstrcpy(user, p+1); fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; + domain[MIN(PTR_DIFF(p, domuser), sizeof(fstring) - 1)] = 0; return strupper_m(domain); } -- 2.35.3 From cefd138d151cc8e9421e917b76d23868bdfc1537 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Mon, 25 Sep 2023 14:30:14 +0100 Subject: [PATCH 2/5] nsswitch: Ensure we can't write beyond end of fstring Signed-off-by: Noel Power --- nsswitch/wbinfo.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 6148b204043..7a7be197763 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -117,7 +117,7 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain, { char *p = strchr(domuser,winbind_separator()); - + int eos; if (!p) { /* Maybe it was a UPN? */ p = strchr(domuser, '@'); @@ -134,7 +134,13 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain, fstrcpy(user, p+1); fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; + + eos = PTR_DIFF(p, domuser); + if (eos > (sizeof(fstring) - 1)) { + eos = sizeof(fstring) - 1; + } + + domain[eos] = 0; return true; } -- 2.35.3 From bb48ecfc503bf9772e3fc299c3dcf853c26c6e8c Mon Sep 17 00:00:00 2001 From: Noel Power Date: Mon, 25 Sep 2023 18:16:56 +0100 Subject: [PATCH 3/5] libgpo/gpext: Ensure we can't write beyond end of fstring BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 Signed-off-by: Noel Power --- libgpo/gpext/gpext.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libgpo/gpext/gpext.c b/libgpo/gpext/gpext.c index 45c89707720..d8d38e3f109 100644 --- a/libgpo/gpext/gpext.c +++ b/libgpo/gpext/gpext.c @@ -569,7 +569,8 @@ static NTSTATUS gp_glob_ext_list(TALLOC_CTX *mem_ctx, } fstrcpy(name, dirent->d_name); - name[PTR_DIFF(p, dirent->d_name)] = 0; + name[MIN(PTR_DIFF(p, dirent->d_name), + sizeof(fstring) - 1)] = 0; if (!add_string_to_array(mem_ctx, name, ext_list, ext_list_len)) { -- 2.35.3 From b9a8dd2e42d74c87b35191a3f3d2baa7fe73a1eb Mon Sep 17 00:00:00 2001 From: Noel Power Date: Mon, 25 Sep 2023 18:18:09 +0100 Subject: [PATCH 4/5] s3/winbind: Ensure we can't write beyond end of fstring BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 Signed-off-by: Noel Power --- source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 773cdab3da9..3384e1849c5 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1562,7 +1562,7 @@ bool parse_domain_user(const char *domuser, if (p != NULL) { fstrcpy(user, p + 1); fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = '\0'; + domain[MIN(PTR_DIFF(p, domuser),sizeof(fstring)-1)] = '\0'; fstrcpy(namespace, domain); } else { fstrcpy(user, domuser); -- 2.35.3 From e28ba218c6d650d7603348b874588cdc51a319ec Mon Sep 17 00:00:00 2001 From: Noel Power Date: Mon, 25 Sep 2023 18:18:35 +0100 Subject: [PATCH 5/5] s4/torture: Ensure we can't write beyond end of fstring BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467 Signed-off-by: Noel Power --- source4/torture/winbind/struct_based.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c index 1c8751e7f9c..5bda0d00d46 100644 --- a/source4/torture/winbind/struct_based.c +++ b/source4/torture/winbind/struct_based.c @@ -985,7 +985,7 @@ static bool parse_domain_user(struct torture_context *torture, fstrcpy(user, p+1); fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; + domain[MIN(PTR_DIFF(p, domuser), sizeof(fstring) - 1)] = 0; return true; } -- 2.35.3