git.openafs.org Git - openafs.git/commit

author	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 5 Nov 2024 04:50:50 +0000 (20:50 -0800)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 12 Nov 2024 18:05:49 +0000 (13:05 -0500)
commit	a9ede52673b8c8abbfc2577ac6987a8a5686206f
tree	4fe8d4fe3b14d0f82e99b5679507a4616e1799a2	tree \| snapshot
parent	a96a3160f5425125588f39f5ac612df3ef9b9a8a	commit \| diff

OPENAFS-SA-2024-002: make VIOCGETAL consumers stay within string bounds

CVE-2024-10396

After the preceding commits, the data returned by the VIOCGETAL
pioctl (a RXAFS_FetchAcl wrapper) will safely be NUL-terminated.
However, the callers that attempt to parse the ACL string make
assumptions that the returned data will be properly formatted,
and implement a "skip to next line" functionality (under various
names) that blindly increments a char* until it finds a newline
character, which can read past the end of even a properly
NUL-terminated string if there is not a newline where one is
expected.

Adjust the various "skip to next line" functionality to keep
the current string pointer at the trailing NUL if the end of the
string is reached while searching for a newline.

Reviewed-on: https://gerrit.openafs.org/15916
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit a4ecb050540528a1bff840ff08d21f99e6ef3fbf)

Change-Id: Id2d8c0164cfaa7d03a9e37b29ff58b88cf815483
Reviewed-on: https://gerrit.openafs.org/15937
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>

src/WINNT/afsd/fs_acl.c		diff \| blob \| history
src/kauth/kkids.c		diff \| blob \| history
src/kauth/test/test_interim_ktc.c		diff \| blob \| history
src/libadmin/client/afs_clientAdmin.c		diff \| blob \| history
src/sys/rmtsysnet.c		diff \| blob \| history
src/uss/uss_acl.c		diff \| blob \| history
src/venus/fs.c		diff \| blob \| history