diff options
author | Jeremy Allison <jra@samba.org> | 2018-06-15 15:07:17 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-08-11 21:56:40 +0200 |
commit | 02db55b4074e0ceebb87a75105e8ef79c3dcf032 (patch) | |
tree | 6a4bd91494e6644c7ce416ec826afc12853e62fe /source3/libsmb | |
parent | 9cf4b08046987b1a9586b3f53d1b08fc0ab5f456 (diff) | |
download | samba-02db55b4074e0ceebb87a75105e8ef79c3dcf032.tar.gz |
CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'source3/libsmb')
-rw-r--r-- | source3/libsmb/libsmb_path.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c index 01b0a61e483..ed70ab37550 100644 --- a/source3/libsmb/libsmb_path.c +++ b/source3/libsmb/libsmb_path.c @@ -173,8 +173,13 @@ smbc_urlencode(char *dest, } } - *dest++ = '\0'; - max_dest_len--; + if (max_dest_len == 0) { + /* Ensure we return -1 if no null termination. */ + return -1; + } + + *dest++ = '\0'; + max_dest_len--; return max_dest_len; } |