1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3: smbd - fix processing of packets with invalid DOS charset conversions.

CVE-2014-3493

Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler

https://bugzilla.samba.org/show_bug.cgi?id=10654

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 25 03:47:55 CEST 2014 on sn-devel-104
This commit is contained in:
Jeremy Allison 2014-06-07 21:51:44 -07:00
parent d77a74237e
commit 457d79f2cb
3 changed files with 21 additions and 13 deletions

View File

@ -46,9 +46,9 @@ void gfree_charcnv(void)
**/
size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
{
size_t src_len = strlen(src);
size_t src_len = 0;
char *tmpbuf = NULL;
size_t size;
size_t size = 0;
bool ret;
/* No longer allow a length of -1. */
@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
smb_panic("malloc fail");
}
if (!strupper_m(tmpbuf)) {
if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
dest &&
dest_len > 0) {
*(char *)dest = 0;
}
SAFE_FREE(tmpbuf);
return (size_t)-1;
return 0;
}
src = tmpbuf;
}
src_len = strlen(src);
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
src_len++;
}
ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
if (ret == false &&
(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
&& dest_len > 0) {
SAFE_FREE(tmpbuf);
if (ret == false) {
if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
dest_len > 0) {
((char *)dest)[0] = '\0';
}
SAFE_FREE(tmpbuf);
return ret ? size : (size_t)-1;
return 0;
}
return size;
}
/********************************************************************

View File

@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE|STR_UPPER);
if (len == (size_t)-1) {
if (len == 0) {
SAFE_FREE(last_entry);
return false;
}
@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE);
if (len == (size_t)-1) {
if (len == 0) {
SAFE_FREE(last_entry);
return false;
}

View File

@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
return 0;
}
l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
if (l == -1) {
if (l == 0) {
return 0;
}
(*dst) += l;
@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
return 0;
}
l = push_ascii(*dst,src,*n, STR_TERMINATE);
if (l == -1) {
if (l == 0) {
return 0;
}
(*dst) += l;