Author: cem
Date: Fri Sep 29 15:53:26 2017
New Revision: 324102
URL: https://svnweb.freebsd.org/changeset/base/324102
Log:
netsmb: Fix buggy/racy smb_strdupin()
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size. Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.
Later assumptions in the code rely upon the string being nul-terminated.
Just use copyinstr() and drop the racy sizing.
PR: 222687
Reported by: Meng Xu <meng.xu AT gatech.edu>
Security: possible local DoS
Sponsored by: Dell EMC Isilon
Modified:
head/sys/netsmb/smb_subr.c
Modified: head/sys/netsmb/smb_subr.c
==============================================================================
--- head/sys/netsmb/smb_subr.c Fri Sep 29 15:13:28 2017 (r324101)
+++ head/sys/netsmb/smb_subr.c Fri Sep 29 15:53:26 2017 (r324102)
@@ -110,22 +110,11 @@ smb_strdup(const char *s)
char *
smb_strdupin(char *s, size_t maxlen)
{
- char *p, bt;
+ char *p;
int error;
- size_t len;
- len = 0;
- for (p = s; ;p++) {
- if (copyin(p, &bt, 1))
- return NULL;
- len++;
- if (maxlen && len > maxlen)
- return NULL;
- if (bt == 0)
- break;
- }
- p = malloc(len, M_SMBSTR, M_WAITOK);
- error = copyin(s, p, len);
+ p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK);
+ error = copyinstr(s, p, maxlen + 1, NULL);
if (error) {
free(p, M_SMBSTR);
return (NULL);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
