mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:rpc_client: Check for array size instead of UINT16_MAX
mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The boundary is 1025 and not UINT16_MAX. "Error: OVERRUN (CWE-119): samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch. samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch. samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534). 131| mdscli_ctx->mdscmd_open.share_path_len = share_path_len; 132| 133|-> if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') { 134| mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0'; 135| mdscli_ctx->mdscmd_open.share_path_len--;" Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
This commit is contained in:
parent
7990a2ba08
commit
dd896862d0
@ -124,7 +124,9 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
|
||||
if (share_path_len < 1 || share_path_len > UINT16_MAX) {
|
||||
if (share_path_len < 1 ||
|
||||
share_path_len >= sizeof(mdscli_ctx->mdscmd_open.share_path))
|
||||
{
|
||||
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
|
||||
return;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user