[Pkg-samba-maint] [samba] 03/06: s3: smbd - fix processing of packets with invalid DOS charset conversions.
Ivo De Decker
ivodd at moszumanska.debian.org
Mon Jun 23 16:46:09 UTC 2014
This is an automated email from the git hooks/post-receive script.
ivodd pushed a commit to branch upstream_4.1
in repository samba.
commit a88baed8dd64c3f77ee5070029d305489ad63743
Author: Jeremy Allison <jra at samba.org>
Date: Sat Jun 7 21:51:44 2014 -0700
s3: smbd - fix processing of packets with invalid DOS charset conversions.
Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler
https://bugzilla.samba.org/show_bug.cgi?id=10654
Signed-off-by: Jeremy Allison <jra at samba.org>
CVE-2014-3493
---
source3/lib/charcnv.c | 26 +++++++++++++++++---------
source3/libsmb/clirap.c | 4 ++--
source3/smbd/lanman.c | 4 ++--
3 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
index 71d2c3a..2189812 100644
--- a/source3/lib/charcnv.c
+++ b/source3/lib/charcnv.c
@@ -46,9 +46,9 @@ void gfree_charcnv(void)
**/
size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
{
- size_t src_len = strlen(src);
+ size_t src_len = 0;
char *tmpbuf = NULL;
- size_t size;
+ size_t size = 0;
bool ret;
/* No longer allow a length of -1. */
@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
smb_panic("malloc fail");
}
if (!strupper_m(tmpbuf)) {
+ if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
+ dest &&
+ dest_len > 0) {
+ *(char *)dest = 0;
+ }
SAFE_FREE(tmpbuf);
- return (size_t)-1;
+ return 0;
}
src = tmpbuf;
}
+ src_len = strlen(src);
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
src_len++;
}
ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
- if (ret == false &&
- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
- && dest_len > 0) {
- ((char *)dest)[0] = '\0';
- }
SAFE_FREE(tmpbuf);
- return ret ? size : (size_t)-1;
+ if (ret == false) {
+ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
+ dest_len > 0) {
+ ((char *)dest)[0] = '\0';
+ }
+ return 0;
+ }
+ return size;
}
/********************************************************************
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 036919f..64e3767 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE|STR_UPPER);
- if (len == (size_t)-1) {
+ if (len == 0) {
SAFE_FREE(last_entry);
return false;
}
@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE);
- if (len == (size_t)-1) {
+ if (len == 0) {
SAFE_FREE(last_entry);
return false;
}
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 1b734a7..0a0ab6b 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
return 0;
}
l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
- if (l == -1) {
+ if (l == 0) {
return 0;
}
(*dst) += l;
@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
return 0;
}
l = push_ascii(*dst,src,*n, STR_TERMINATE);
- if (l == -1) {
+ if (l == 0) {
return 0;
}
(*dst) += l;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list