diff --git a/source/lib/util_str.c b/source/lib/util_str.c index 2a9ee0a868e..60e0e3837fc 100644 --- a/source/lib/util_str.c +++ b/source/lib/util_str.c @@ -479,11 +479,15 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength) src_len = strlen(src); dest_len = strlen(dest); - + if (src_len + dest_len > maxlength) { DEBUG(0,("ERROR: string overflow by %d in safe_strcat [%.50s]\n", (int)(src_len + dest_len - maxlength), src)); - src_len = maxlength - dest_len; + if (maxlength > dest_len) { + memcpy(&dest[dest_len], src, maxlength - dest_len); + } + dest[maxlength] = 0; + return NULL; } memcpy(&dest[dest_len], src, src_len); diff --git a/source/smbd/filename.c b/source/smbd/filename.c index bcfd366741a..7d3527402e8 100644 --- a/source/smbd/filename.c +++ b/source/smbd/filename.c @@ -31,7 +31,8 @@ extern BOOL case_preserve; extern BOOL short_case_preserve; extern BOOL use_mangled_map; -static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache); +static BOOL scan_directory(const char *path, char *name,size_t maxlength, + connection_struct *conn,BOOL docache); /**************************************************************************** Check if two filenames are equal. @@ -266,7 +267,11 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen * Try to find this part of the path in the directory. */ - if (ms_has_wild(start) || !scan_directory(dirpath, start, conn, end?True:False)) { + if (ms_has_wild(start) || + !scan_directory(dirpath, start, + sizeof(pstring) - 1 - (start - name), + conn, + end?True:False)) { if (end) { /* * An intermediate part of the name can't be found. @@ -315,8 +320,10 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen */ if (end) { end = start + strlen(start); - pstrcat(start,"/"); - pstrcat(start,rest); + if (!safe_strcat(start, "/", sizeof(pstring) - 1 - (start - name)) || + !safe_strcat(start, rest, sizeof(pstring) - 1 - (start - name))) { + return False; + } *end = '\0'; } else { /* @@ -428,7 +435,8 @@ BOOL check_name(pstring name,connection_struct *conn) If the name looks like a mangled name then try via the mangling functions ****************************************************************************/ -static BOOL scan_directory(const char *path, pstring name,connection_struct *conn,BOOL docache) +static BOOL scan_directory(const char *path, char *name, size_t maxlength, + connection_struct *conn,BOOL docache) { void *cur_dir; char *dname; @@ -441,7 +449,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con path = "."; if (docache && (dname = DirCacheCheck(path,name,SNUM(conn)))) { - pstrcpy(name, dname); + safe_strcpy(name, dname, maxlength); return(True); } @@ -481,7 +489,7 @@ static BOOL scan_directory(const char *path, pstring name,connection_struct *con /* we've found the file, change it's name and return */ if (docache) DirCacheAdd(path,name,dname,SNUM(conn)); - pstrcpy(name, dname); + safe_strcpy(name, dname, maxlength); CloseDir(cur_dir); return(True); }