diff options
| author | Jeremy Allison <jra@samba.org> | 2018-06-15 15:07:17 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-08-11 08:16:00 +0200 |
| commit | 677fad5e51ab1f9782f2d7a8fa3c708a2d2bd4a0 (patch) | |
| tree | 512852b32e4dac8c7441313ad1f549d53bf8c5c3 | |
| parent | 4954a6da82e13459b0756f1b29c8a9b417bcca8d (diff) | |
| download | samba-677fad5e51ab1f9782f2d7a8fa3c708a2d2bd4a0.tar.gz | |
CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
| -rw-r--r-- | source3/libsmb/libsmb_path.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c index 01b0a61e483..ed70ab37550 100644 --- a/source3/libsmb/libsmb_path.c +++ b/source3/libsmb/libsmb_path.c @@ -173,8 +173,13 @@ smbc_urlencode(char *dest, } } - *dest++ = '\0'; - max_dest_len--; + if (max_dest_len == 0) { + /* Ensure we return -1 if no null termination. */ + return -1; + } + + *dest++ = '\0'; + max_dest_len--; return max_dest_len; } |