mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
util: Simplify input validation
It appears that snprintf(3) is being used for input validation. However, this seems like overkill because it causes szPath to be copied an extra time. The mostly likely protections being sought here, according to https://cwe.mitre.org/data/definitions/20.html, look to be DoS attacks involving CPU and memory usage. A simpler check that uses strnlen(3) can mitigate against both of these and is simpler. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
parent
7e36b1ec2e
commit
922bce2668
@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
|
||||
struct passwd pwd = {0};
|
||||
struct passwd *pwdbuf = NULL;
|
||||
char buf[NSS_BUFLEN_PASSWD] = {0};
|
||||
size_t len;
|
||||
int rc;
|
||||
|
||||
rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
|
||||
if (rc != 0 || pwdbuf == NULL ) {
|
||||
int len_written;
|
||||
const char *szPath = getenv("HOME");
|
||||
if (szPath == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
len_written = snprintf(buf, sizeof(buf), "%s", szPath);
|
||||
if (len_written >= sizeof(buf) || len_written < 0) {
|
||||
/* Output was truncated or an error. */
|
||||
len = strnlen(szPath, PATH_MAX);
|
||||
if (len >= PATH_MAX) {
|
||||
return NULL;
|
||||
}
|
||||
return talloc_strdup(mem_ctx, buf);
|
||||
return talloc_strdup(mem_ctx, szPath);
|
||||
}
|
||||
|
||||
return talloc_strdup(mem_ctx, pwd.pw_dir);
|
||||
|
Loading…
Reference in New Issue
Block a user