OPENAFS-SA-2024-002: acl: Error on missing newlines when parsing ACL

CVE-2024-10396 In acl_Internalize_pr(), each line in an ACL granting rights (positive or negative) is sscanf()'d with "%63s\t%d\n", and then we try to advance 'nextc' beyond the next newline character. However, sscanf()'ing "%63s\t%d\n" does not guarantee that there is a newline in the given string. Whitespace characters in sscanf() are not matched exactly, and may match any amount of whitespace (including none at all). For example, a string like "foo 4" may be parsed by sscanf(), but does not contain any newlines. If this happens, strchr(nextc, '\n') will return NULL, and we'll advance 'nextc' to 0x1, causing a segfault when we next try to dereference 'nextc'. To avoid this, check if 'nextc' is NULL after the strchr() call, and return an error if so. FIXES 135445 Change-Id: I6bcbbaf88a16202fb84c0932578dd8d5712726dd Reviewed-on: https://gerrit.openafs.org/15911 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu>
2025-01-18 15:00:12 +00:00 · 2023-09-19 15:55:42 -05:00 · 2023-09-19 15:55:42 -05:00 · 96ab2c6f8a
commit 96ab2c6f8a
parent 35d218c1d1
1 changed files with 8 additions and 0 deletions
--- a/src/libacl/aclprocs.c
+++ b/src/libacl/aclprocs.c
@ -278,6 +278,10 @@ acl_Internalize_pr(int (*func)(namelist *names, idlist *ids), char *elist, struc
 	}
 	(*acl)->entries[i].rights = k;
 	nextc = strchr(nextc, '\n');
+	if (nextc == NULL) {
+	    free(lnames.namelist_val);
+	    return (-1);
+	}
 	nextc++;		/* 1 + index can cast ptr to integer */
    }
    j = i;
@ -290,6 +294,10 @@ acl_Internalize_pr(int (*func)(namelist *names, idlist *ids), char *elist, struc
 	    return (-1);
 	}
 	nextc = strchr(nextc, '\n');
+	if (nextc == NULL) {
+	    free(lnames.namelist_val);
+	    return (-1);
+	}
 	nextc++;
    }
    lids.idlist_len = 0;