From d66caf8c04878724001839317637445708edef2c Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Tue, 19 Sep 2023 15:55:42 -0500 Subject: [PATCH] OPENAFS-SA-2024-002: acl: Error on missing newlines when parsing ACL CVE-2024-10396 In acl_Internalize_pr(), each line in an ACL granting rights (positive or negative) is sscanf()'d with "%63s\t%d\n", and then we try to advance 'nextc' beyond the next newline character. However, sscanf()'ing "%63s\t%d\n" does not guarantee that there is a newline in the given string. Whitespace characters in sscanf() are not matched exactly, and may match any amount of whitespace (including none at all). For example, a string like "foo 4" may be parsed by sscanf(), but does not contain any newlines. If this happens, strchr(nextc, '\n') will return NULL, and we'll advance 'nextc' to 0x1, causing a segfault when we next try to dereference 'nextc'. To avoid this, check if 'nextc' is NULL after the strchr() call, and return an error if so. FIXES 135445 Reviewed-on: https://gerrit.openafs.org/15911 Reviewed-by: Benjamin Kaduk Tested-by: Benjamin Kaduk (cherry picked from commit 96ab2c6f8a614d597a523b45871c5f64a50a7040) Change-Id: I666dfb2c401410865c1f98d9db1b342b52c8f628 Reviewed-on: https://gerrit.openafs.org/15932 Reviewed-by: Benjamin Kaduk Tested-by: Benjamin Kaduk --- src/libacl/aclprocs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/libacl/aclprocs.c b/src/libacl/aclprocs.c index ab6b21dac2..fbdfaa6f9c 100644 --- a/src/libacl/aclprocs.c +++ b/src/libacl/aclprocs.c @@ -278,6 +278,10 @@ acl_Internalize_pr(int (*func)(namelist *names, idlist *ids), char *elist, struc } (*acl)->entries[i].rights = k; nextc = strchr(nextc, '\n'); + if (nextc == NULL) { + free(lnames.namelist_val); + return (-1); + } nextc++; /* 1 + index can cast ptr to integer */ } j = i; @@ -290,6 +294,10 @@ acl_Internalize_pr(int (*func)(namelist *names, idlist *ids), char *elist, struc return (-1); } nextc = strchr(nextc, '\n'); + if (nextc == NULL) { + free(lnames.namelist_val); + return (-1); + } nextc++; } lids.idlist_len = 0;