diff options
| author | Jeremy Allison <jra@samba.org> | 2018-06-15 15:07:17 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-08-13 09:13:35 +0200 |
| commit | 6936d3e2f2d8eb183f89dd3402403de1a45a5d08 (patch) | |
| tree | 4df440ba54d3a353a9bafdf54b93879d15beee95 | |
| parent | 30428f36f79b0cc4133a7f640b334c566e1ef525 (diff) | |
| download | samba-6936d3e2f2d8eb183f89dd3402403de1a45a5d08.tar.gz | |
CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
| -rw-r--r-- | source3/libsmb/libsmb_path.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c index 01b0a61e483..ed70ab37550 100644 --- a/source3/libsmb/libsmb_path.c +++ b/source3/libsmb/libsmb_path.c @@ -173,8 +173,13 @@ smbc_urlencode(char *dest, } } - *dest++ = '\0'; - max_dest_len--; + if (max_dest_len == 0) { + /* Ensure we return -1 if no null termination. */ + return -1; + } + + *dest++ = '\0'; + max_dest_len--; return max_dest_len; } |