s4:dsdb: Avoid buffer overflow in samdb_result_hashes()

author Jo Sutton <josutton@catalyst.net.nz>

Thu, 11 Jan 2024 21:43:39 +0000 (10:43 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 8 Feb 2024 02:48:45 +0000 (02:48 +0000)
author Jo Sutton <josutton@catalyst.net.nz>
Thu, 11 Jan 2024 21:43:39 +0000 (10:43 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 8 Feb 2024 02:48:45 +0000 (02:48 +0000)
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c

index e6e18b15eef04c8113d30adb726de40f9e87dcfd..fe63e18c35c116ddabbbf20e66486411ea673d44 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -558,6 +558,13 @@ unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *
         if (!val) {
                 return 0;
         }
+       if (val->length % 16 != 0) {
+               /*
+                * The length is wrong. Don’t try to read beyond the end of the
+                * buffer.
+                */
+               return 0;
+       }
         count = val->length / 16;
         if (count == 0) {
                 return 0;
author	Jo Sutton <josutton@catalyst.net.nz>
	Thu, 11 Jan 2024 21:43:39 +0000 (10:43 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 8 Feb 2024 02:48:45 +0000 (02:48 +0000)