1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3:rpc_client: Check for array size instead of UINT16_MAX

mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.

"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534).
  131|   	mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
  132|
  133|-> 	if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
  134|   		mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
  135|   		mdscli_ctx->mdscmd_open.share_path_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
This commit is contained in:
Andreas Schneider 2024-06-24 13:38:34 +02:00 committed by Andreas Schneider
parent 7990a2ba08
commit dd896862d0

View File

@ -124,7 +124,9 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
}
share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
if (share_path_len < 1 || share_path_len > UINT16_MAX) {
if (share_path_len < 1 ||
share_path_len >= sizeof(mdscli_ctx->mdscmd_open.share_path))
{
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
return;
}