git.openafs.org Git - openafs.git/commit

author	Andrew Deason <adeason@sinenomine.net>
	Tue, 19 Sep 2023 20:55:42 +0000 (15:55 -0500)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 12 Nov 2024 18:05:35 +0000 (13:05 -0500)
commit	d66caf8c04878724001839317637445708edef2c
tree	737c9471bcebc00fd390c028f1ff47b00ab08d63	tree \| snapshot
parent	1e6e813188ecce62eb7af19385d911f63469bdb6	commit \| diff

OPENAFS-SA-2024-002: acl: Error on missing newlines when parsing ACL

CVE-2024-10396

In acl_Internalize_pr(), each line in an ACL granting rights (positive
or negative) is sscanf()'d with "%63s\t%d\n", and then we try to
advance 'nextc' beyond the next newline character.

However, sscanf()'ing "%63s\t%d\n" does not guarantee that there is a
newline in the given string. Whitespace characters in sscanf() are not
matched exactly, and may match any amount of whitespace (including
none at all). For example, a string like "foo 4" may be parsed by
sscanf(), but does not contain any newlines.

If this happens, strchr(nextc, '\n') will return NULL, and we'll
advance 'nextc' to 0x1, causing a segfault when we next try to
dereference 'nextc'.

To avoid this, check if 'nextc' is NULL after the strchr() call, and
return an error if so.

FIXES 135445

Reviewed-on: https://gerrit.openafs.org/15911
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 96ab2c6f8a614d597a523b45871c5f64a50a7040)

Change-Id: I666dfb2c401410865c1f98d9db1b342b52c8f628
Reviewed-on: https://gerrit.openafs.org/15932
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>