Skip to content
Permalink
Browse files Browse the repository at this point in the history
GHSL-2023-010: Memory leak when parsing usernames
Memory leak when parsing usernames (GHSL-2023-010)

Fixes defect GHSL-2023-010 found by the GitHub Security Lab team via
oss-fuzz.

The domain portion may be overridden causing an allocated memory area
the size of the domain name to be lost. This could be used to mount a
DoS by depleeting the server memory.

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
simo5 committed Feb 12, 2023
1 parent 025fbb7 commit 8660fb1
Showing 1 changed file with 2 additions and 6 deletions.
8 changes: 2 additions & 6 deletions src/gss_names.c
Expand Up @@ -136,7 +136,6 @@ static uint32_t parse_user_name(uint32_t *minor_status,
/* we may have an enterprise name here */
char strbuf[len + 1];
char *buf = strbuf;
bool domain_handled = false;

/* copy buf to manipulate it */
memcpy(buf, str, len);
Expand All @@ -160,9 +159,6 @@ static uint32_t parse_user_name(uint32_t *minor_status,
}

if (sep) {
/* leading domain, copy if domain name is not empty */
domain_handled = true;

/* terminate and copy domain, even if empty */
/* NOTE: this is important for the Windbind integration case
* where we need to tell the machinery to *not* add the default
Expand All @@ -180,7 +176,7 @@ static uint32_t parse_user_name(uint32_t *minor_status,

for (at = strchr(buf, '@'); at != NULL; at = strchr(at, '@')) {
if (*(at - 1) == '\\') {
if (domain_handled) {
if (*domain) {
/* Invalid forms like DOM\foo\@bar or foo@bar\@baz */
free(*domain);
*domain = NULL;
Expand All @@ -189,7 +185,7 @@ static uint32_t parse_user_name(uint32_t *minor_status,
}
/* remove escape, moving all including terminating '\0' */
memmove(at - 1, at, len - (at - buf) + 1);
} else if (!domain_handled) {
} else if (!*domain) {
/* an '@' without escape and no previous
* domain was split out.
* the rest of the string is the domain */
Expand Down

0 comments on commit 8660fb1

Please sign in to comment.