diff options
| author | Jeremy Allison <jra@samba.org> | 2014-06-11 13:22:14 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2014-06-23 07:59:07 +0200 |
| commit | 1692ff43ac2e8997dcccd63f2327b7141f5be878 (patch) | |
| tree | 27e4f4715566f67285e4c3acd9743882deb7d3f3 | |
| parent | 331ae420e9fc10b56b3abdcda1c5d98f18f017d4 (diff) | |
| download | samba-1692ff43ac2e8997dcccd63f2327b7141f5be878.tar.gz | |
s3: smbd - fix processing of packets with invalid DOS charset conversions.
Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler
https://bugzilla.samba.org/show_bug.cgi?id=10654
Signed-off-by: Jeremy Allison <jra@samba.org>
CVE-2014-3493
| -rw-r--r-- | source3/lib/charcnv.c | 16 | ||||
| -rw-r--r-- | source3/libsmb/clirap.c | 4 | ||||
| -rw-r--r-- | source3/smbd/lanman.c | 4 |
3 files changed, 14 insertions, 10 deletions
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index d3f65ca4e24..d8cd2a57d35 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -822,7 +822,7 @@ size_t ucs2_align(const void *base_ptr, const void *p, int flags) **/ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) { - size_t src_len = strlen(src); + size_t src_len = 0; char *tmpbuf = NULL; size_t ret; @@ -840,17 +840,21 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) src = tmpbuf; } + src_len = strlen(src); if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) { src_len++; } ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True); - if (ret == (size_t)-1 && - (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) - && dest_len > 0) { - ((char *)dest)[0] = '\0'; - } + SAFE_FREE(tmpbuf); + if (ret == (size_t)-1) { + if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) + && dest_len > 0) { + ((char *)dest)[0] = '\0'; + } + return 0; + } return ret; } diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c index d39d38ed72f..31c4cfe9b5e 100644 --- a/source3/libsmb/clirap.c +++ b/source3/libsmb/clirap.c @@ -319,7 +319,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE|STR_UPPER); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } @@ -331,7 +331,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 3b4ec651b4c..0f5d6da605c 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn, return 0; } l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; @@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n) return 0; } l = push_ascii(*dst,src,*n, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; |