copy_sec_desc() copies the owner and group SIDs from one security
descriptor to another. Unfortunately, it doesn't take into account the
fact that these are variable length and routinely overruns the SID
structure when doing this copy and scribbles over the destination ACL.
This wasn't noticed before the change in the maximum number of subauths
because the code either overwrote the damage afterward, or the overrun
part was the same between source and destination anyway. Now that the
max number of subauths is 15, it's more noticable.
Fix it to only copy the number of subauths that claimed in the buffer
instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
for (i = 0; i < NUM_AUTHS; i++)
nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
- for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+ for (i = 0; i < owner_sid_ptr->num_subauth; i++)
nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
/* copy group sid */
ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
for (i = 0; i < NUM_AUTHS; i++)
ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
- for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+ for (i = 0; i < group_sid_ptr->num_subauth; i++)
ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
return;