From 1892df6ca803aed94e91cbd7a12ca1b8470dfc89 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 4 Sep 2010 14:11:46 +1000
Subject: [PATCH] s3-util_sid Use the NDR parser to parse struct dom_sid

The manual parser failed to constrain the maximum number of
sub-authorities to 15, allowing an overflow of the array.

Andrew Bartlett
---
 source3/lib/util_sid.c | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index b0b8d0ef72d..92218ff2b27 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -297,20 +297,14 @@ bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid)
 
 bool sid_parse(const char *inbuf, size_t len, struct dom_sid *sid)
 {
-	int i;
-	if (len < 8)
-		return False;
-
-	ZERO_STRUCTP(sid);
-
-	sid->sid_rev_num = CVAL(inbuf, 0);
-	sid->num_auths = CVAL(inbuf, 1);
-	memcpy(sid->id_auth, inbuf+2, 6);
-	if (len < 8 + sid->num_auths*4)
-		return False;
-	for (i=0;i<sid->num_auths;i++)
-		sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
-	return True;
+	enum ndr_err_code ndr_err;
+	DATA_BLOB in = data_blob_const(inbuf, len);
+	ndr_err = ndr_pull_struct_blob_all(&in, NULL, sid,
+					   (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		return false;
+	}
+	return true;
 }
 
 /*****************************************************************
-- 
2.34.1