Module Name: src
Committed By: christos
Date: Tue Oct 3 15:27:10 UTC 2017
Modified Files:
src/sys/netsmb: smb_subr.c
Log Message:
>From FreeBSD:
netsmb: Fix buggy/racy smb_strdupin()
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size. Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.
Later assumptions in the code rely upon the string being nul-terminated.
Just use copyinstr() and drop the racy sizing.
PR: 222687
Reported by: Meng Xu <meng.xu AT gatech.edu>
Security: possible local DoS
Sponsored by: Dell EMC Isilon
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/netsmb/smb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
