netsmb: Fix buggy/racy smb_strdupin()

smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon
svn path=/head/; revision=324102
2024-07-22 02:37:15 +00:00 · 2017-09-29 15:53:26 +00:00 · 2017-09-29 15:53:26 +00:00 · 51bcc337dd · 2020-12-20 02:59:44 +00:00
parent 451c2bec47
commit 51bcc337dd
1 changed files with 3 additions and 14 deletions
--- a/sys/netsmb/smb_subr.c
+++ b/sys/netsmb/smb_subr.c
@ -110,22 +110,11 @@ smb_strdup(const char *s)
 char *
 smb_strdupin(char *s, size_t maxlen)
 {
-	char *p, bt;
+	char *p;
 	int error;
-	size_t len;

-	len = 0;
-	for (p = s; ;p++) {
-		if (copyin(p, &bt, 1))
-			return NULL;
-		len++;
-		if (maxlen && len > maxlen)
-			return NULL;
-		if (bt == 0)
-			break;
-	}
-	p = malloc(len, M_SMBSTR, M_WAITOK);
-	error = copyin(s, p, len);
+	p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK);
+	error = copyinstr(s, p, maxlen + 1, NULL);
 	if (error) {
 		free(p, M_SMBSTR);
 		return (NULL);