> Full_Name: Russell Greene
> Samba_Version: 2.2.6
> Server_OS: N/A
> Client_OS: N/A
> Submission from: (NULL) (128.12.177.14)
>
>
> This is a potential bug found by a checker. Please verify.
>
> The variable "response" is read from the socket (thus has the potential to be
> tainted) and then is used to compute extra_data_len which is sent to malloc.
> Since the value of extra_data_len is not range checked there is a potential
for
> very large allocations.
>
>
> [BUG] The reponse length can be set to something very large causing malloc to
> allocate huge memory
> /u1/rdg12/net/samba-2.2.6/source/nsswitch/wb_common.c:298:read_reply:
> ERROR:USER:292:298:passing needub data (*response).length to malloc
[SECURITY]
> [call overflow]
If winbindd wants to send us dud data, it could do far worse than asking us to
do a large malloc(). (Like grant all logins for root with no pw, set all users
to uid = 0...).
Andrew Bartlett
> response->extra_data = NULL;
>
> /* Read variable length response */
>
> Start --->
> if (response->length > sizeof(struct winbindd_response)) {
> int extra_data_len = response->length -
> sizeof(struct winbindd_response);
>
> /* Mallocate memory for extra data */
>
> Error --->
> if (!(response->extra_data = malloc(extra_data_len))) {
> return -1;
> }
>
>
