Description: fix denial of service and possible arbitrary code
 execution via large number of SID sub authorities
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7669
Author: Andrew Bartlett and Jeremy Allison

diff -Nur samba-3.0.28a/source/lib/util_sid.c samba-3.0.28a.new/source/lib/util_sid.c
--- samba-3.0.28a/source/lib/util_sid.c	2008-03-08 10:33:34.000000000 -0500
+++ samba-3.0.28a.new/source/lib/util_sid.c	2010-09-09 11:09:42.000000000 -0400
@@ -403,6 +403,9 @@
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
diff -Nur samba-3.0.28a/source/libads/ldap.c samba-3.0.28a.new/source/libads/ldap.c
--- samba-3.0.28a/source/libads/ldap.c	2008-03-08 10:33:35.000000000 -0500
+++ samba-3.0.28a.new/source/libads/ldap.c	2010-09-09 11:09:42.000000000 -0400
@@ -1722,7 +1722,9 @@
 	int i;
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			return;
+		}
 		printf("%s: %s\n", field, sid_string_static(&sid));
 	}
 }
diff -Nur samba-3.0.28a/source/libsmb/cliquota.c samba-3.0.28a.new/source/libsmb/cliquota.c
--- samba-3.0.28a/source/libsmb/cliquota.c	2008-03-08 10:33:35.000000000 -0500
+++ samba-3.0.28a.new/source/libsmb/cliquota.c	2010-09-09 11:09:42.000000000 -0400
@@ -117,7 +117,9 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 	
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return False;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff -Nur samba-3.0.28a/source/smbd/nttrans.c samba-3.0.28a.new/source/smbd/nttrans.c
--- samba-3.0.28a/source/smbd/nttrans.c	2008-03-08 10:33:36.000000000 -0500
+++ samba-3.0.28a.new/source/smbd/nttrans.c	2010-09-09 11:09:42.000000000 -0400
@@ -2424,7 +2424,10 @@
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 		
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+		}
+
 		DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2662,7 +2665,9 @@
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+			}
 		
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2828,7 +2833,9 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 	
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
 	DEBUGADD(8,("SID: %s\n",sid_string_static(&sid)));
 
 	/* 44 unknown bytes left... */