libcli/security:sddl_decode message offset safety latch

the message offset is largely calculated using the differences
between pointers in many places scattered throughout the code.

If we got one of these wrong, we could easily have a SIZE_MAX-ish
offset, which would be unfortunate if we came decided to display
the offset using spaces.

We can sanely limit the offset to the length of the SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 898725bd4cdd93ff4147ae7531d697899e321d46..2cad84a937ab727306b803ce11e899063d8a0497 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -963,6 +963,18 @@ failed:
         * offset at least provides a clue.
         */
        *msg_offset += sddl - start;
+
+       if (*msg_offset > strlen(sddl)) {
+               /*
+                * It's not that we *don't* trust our pointer difference
+                * arithmetic, just that we *shouldn't*. Let's render it
+                * harmless, before Python tries printing 18 quadrillion
+                * spaces.
+                */
+               DBG_WARNING("sddl error message offset %zu is too big\n",
+                           *msg_offset);
+               *msg_offset = 0;
+       }
        DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
        talloc_free(sd);
        return NULL;