1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

Fixes the raw.write.bad-write test.

NB. We need the two (==0) changes in source3/smbd/reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085

Remove knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
This commit is contained in:
Jeremy Allison 2022-06-08 13:50:51 -07:00 committed by Jule Anger
parent ed3f82f4d7
commit 74946420dd
3 changed files with 3 additions and 5 deletions

View File

@ -1,2 +0,0 @@
^samba3.raw.write.bad-write\(nt4_dc_smb1\)
^samba3.raw.write.bad-write\(ad_dc_smb1\)

View File

@ -152,7 +152,7 @@
/* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
#define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
/* Note that chain_size must be available as an extern int to this macro. */

View File

@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
{
ssize_t bufrem = smbreq_bufrem(req, src);
if (bufrem < 0) {
if (bufrem == 0) {
*err = NT_STATUS_INVALID_PARAMETER;
return 0;
}
@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
{
ssize_t bufrem = smbreq_bufrem(req, src);
if (bufrem < 0) {
if (bufrem == 0) {
return 0;
}