mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3: smbd - fix processing of packets with invalid DOS charset conversions.
CVE-2014-3493 Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler https://bugzilla.samba.org/show_bug.cgi?id=10654 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 25 03:47:55 CEST 2014 on sn-devel-104
This commit is contained in:
parent
d77a74237e
commit
457d79f2cb
@ -46,9 +46,9 @@ void gfree_charcnv(void)
|
||||
**/
|
||||
size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
|
||||
{
|
||||
size_t src_len = strlen(src);
|
||||
size_t src_len = 0;
|
||||
char *tmpbuf = NULL;
|
||||
size_t size;
|
||||
size_t size = 0;
|
||||
bool ret;
|
||||
|
||||
/* No longer allow a length of -1. */
|
||||
@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
|
||||
smb_panic("malloc fail");
|
||||
}
|
||||
if (!strupper_m(tmpbuf)) {
|
||||
if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
|
||||
dest &&
|
||||
dest_len > 0) {
|
||||
*(char *)dest = 0;
|
||||
}
|
||||
SAFE_FREE(tmpbuf);
|
||||
return (size_t)-1;
|
||||
return 0;
|
||||
}
|
||||
src = tmpbuf;
|
||||
}
|
||||
|
||||
src_len = strlen(src);
|
||||
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
|
||||
src_len++;
|
||||
}
|
||||
|
||||
ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
|
||||
if (ret == false &&
|
||||
(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
|
||||
&& dest_len > 0) {
|
||||
SAFE_FREE(tmpbuf);
|
||||
if (ret == false) {
|
||||
if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
|
||||
dest_len > 0) {
|
||||
((char *)dest)[0] = '\0';
|
||||
}
|
||||
SAFE_FREE(tmpbuf);
|
||||
return ret ? size : (size_t)-1;
|
||||
return 0;
|
||||
}
|
||||
return size;
|
||||
}
|
||||
|
||||
/********************************************************************
|
||||
|
@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
|
||||
sizeof(param) - PTR_DIFF(p,param) - 1,
|
||||
STR_TERMINATE|STR_UPPER);
|
||||
|
||||
if (len == (size_t)-1) {
|
||||
if (len == 0) {
|
||||
SAFE_FREE(last_entry);
|
||||
return false;
|
||||
}
|
||||
@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
|
||||
sizeof(param) - PTR_DIFF(p,param) - 1,
|
||||
STR_TERMINATE);
|
||||
|
||||
if (len == (size_t)-1) {
|
||||
if (len == 0) {
|
||||
SAFE_FREE(last_entry);
|
||||
return false;
|
||||
}
|
||||
|
@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
|
||||
return 0;
|
||||
}
|
||||
l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
|
||||
if (l == -1) {
|
||||
if (l == 0) {
|
||||
return 0;
|
||||
}
|
||||
(*dst) += l;
|
||||
@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
|
||||
return 0;
|
||||
}
|
||||
l = push_ascii(*dst,src,*n, STR_TERMINATE);
|
||||
if (l == -1) {
|
||||
if (l == 0) {
|
||||
return 0;
|
||||
}
|
||||
(*dst) += l;
|
||||
|
Loading…
Reference in New Issue
Block a user