> Full_Name: Russell Greene > Samba_Version: 2.2.6 > Server_OS: N/A > Client_OS: N/A > Submission from: (NULL) (128.12.177.14) > > > This is a potential bug found by a checker. Please verify. > > The variable "response" is read from the socket (thus has the potential to be > tainted) and then is used to compute extra_data_len which is sent to malloc. > Since the value of extra_data_len is not range checked there is a potential for > very large allocations. > > > [BUG] The reponse length can be set to something very large causing malloc to > allocate huge memory > /u1/rdg12/net/samba-2.2.6/source/nsswitch/wb_common.c:298:read_reply: > ERROR:USER:292:298:passing needub data (*response).length to malloc [SECURITY] > [call overflow]
If winbindd wants to send us dud data, it could do far worse than asking us to do a large malloc(). (Like grant all logins for root with no pw, set all users to uid = 0...). Andrew Bartlett > response->extra_data = NULL; > > /* Read variable length response */ > > Start ---> > if (response->length > sizeof(struct winbindd_response)) { > int extra_data_len = response->length - > sizeof(struct winbindd_response); > > /* Mallocate memory for extra data */ > > Error ---> > if (!(response->extra_data = malloc(extra_data_len))) { > return -1; > } > >