1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-19 10:03:58 +03:00
Jeremy Allison 33f88abe6b s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
Ensure we zero out unused grown area.

CVE-2017-15275

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Nov 21 19:42:22 CET 2017 on sn-devel-144
2017-11-21 19:42:22 +01:00

133 lines
3.6 KiB
C

/*
Unix SMB/CIFS implementation.
server specific string routines
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "smbd/smbd.h"
#include "smbd/globals.h"
/* Make sure we can't write a string past the end of the buffer */
NTSTATUS srvstr_push_fn(const char *base_ptr, uint16_t smb_flags2, void *dest,
const char *src, int dest_len, int flags, size_t *ret_len)
{
size_t len;
int saved_errno;
NTSTATUS status;
if (dest_len < 0) {
return NT_STATUS_INVALID_PARAMETER;
}
saved_errno = errno;
errno = 0;
/* 'normal' push into size-specified buffer */
len = push_string_base(base_ptr, smb_flags2, dest, src,
dest_len, flags);
if (errno != 0) {
/*
* Special case E2BIG, EILSEQ, EINVAL
* as they mean conversion errors here,
* but we don't generically map them as
* they can mean different things in
* generic filesystem calls (such as
* read xattrs).
*/
if (errno == E2BIG || errno == EILSEQ || errno == EINVAL) {
status = NT_STATUS_ILLEGAL_CHARACTER;
} else {
status = map_nt_error_from_unix_common(errno);
/*
* Paranoia - Filter out STATUS_MORE_ENTRIES.
* I don't think we can get this but it has a
* specific meaning to the client.
*/
if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
status = NT_STATUS_UNSUCCESSFUL;
}
}
DEBUG(10,("character conversion failure "
"on string (%s) (%s)\n",
src, strerror(errno)));
} else {
/* Success - restore untouched errno. */
errno = saved_errno;
*ret_len = len;
status = NT_STATUS_OK;
}
return status;
}
/*******************************************************************
Add a string to the end of a smb_buf, adjusting bcc and smb_len.
Return the bytes added
********************************************************************/
ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
{
size_t buf_size = smb_len(*outbuf) + 4;
size_t grow_size;
size_t result = 0;
uint8_t *tmp;
NTSTATUS status;
/*
* We need to over-allocate, now knowing what srvstr_push will
* actually use. This is very generous by incorporating potential
* padding, the terminating 0 and at most 4 chars per UTF-16 code
* point.
*/
grow_size = (strlen(str) + 2) * 4;
if (!(tmp = talloc_realloc(NULL, *outbuf, uint8_t,
buf_size + grow_size))) {
DEBUG(0, ("talloc failed\n"));
return -1;
}
status = srvstr_push((char *)tmp, SVAL(tmp, smb_flg2),
tmp + buf_size, str, grow_size, flags, &result);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
/*
* Ensure we clear out the extra data we have
* grown the buffer by, but not written to.
*/
if (buf_size + result < buf_size) {
return -1;
}
if (grow_size < result) {
return -1;
}
memset(tmp + buf_size + result, '\0', grow_size - result);
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
return result;
}