Skip to content

Commit

Permalink
s3:utils: Fix stack smashing in net offlinejoin
Browse files Browse the repository at this point in the history 
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8

==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
    #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
    #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
    #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
    #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
    #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
    #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
    #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
    #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ef8c8ac)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Dec  6 12:02:00 UTC 2022 on sn-devel-184
  • Loading branch information
@cryptomilk
cryptomilk authored and Jule Anger committed Dec 6, 2022
1 parent 885e3fc commit 994464e
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions source3/utils/net_offlinejoin.c
View file
Expand Up @@ -237,7 +237,7 @@ int net_offlinejoin_requestodj(struct net_context *c,
{
NET_API_STATUS status;
uint8_t *provision_bin_data = NULL;
uint32_t provision_bin_data_size = 0;
size_t provision_bin_data_size = 0;
uint32_t options = NETSETUP_PROVISION_ONLINE_CALLER;
const char *loadfile = NULL;
const char *windows_path = NULL;
Expand All @@ -264,12 +264,17 @@ int net_offlinejoin_requestodj(struct net_context *c,
#endif
}

provision_bin_data = (uint8_t *)file_load(loadfile,
(size_t *)&provision_bin_data_size, 0, c);
provision_bin_data =
(uint8_t *)file_load(loadfile, &provision_bin_data_size, 0, c);
if (provision_bin_data == NULL) {
d_printf("Failed to read loadfile: %s\n", loadfile);
return -1;
}
if (provision_bin_data_size > UINT32_MAX) {
d_printf("provision binary data size too big: %zu\n",
provision_bin_data_size);
return -1;
}

status = NetRequestOfflineDomainJoin(provision_bin_data,
provision_bin_data_size,
Expand Down

0 comments on commit 994464e

Please sign in to comment.