mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 12:54:27 +00:00
netsmb: Fix buggy/racy smb_strdupin()
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon
This commit is contained in:
parent
451c2bec47
commit
51bcc337dd
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=324102
|
@ -110,22 +110,11 @@ smb_strdup(const char *s)
|
|||
char *
|
||||
smb_strdupin(char *s, size_t maxlen)
|
||||
{
|
||||
char *p, bt;
|
||||
char *p;
|
||||
int error;
|
||||
size_t len;
|
||||
|
||||
len = 0;
|
||||
for (p = s; ;p++) {
|
||||
if (copyin(p, &bt, 1))
|
||||
return NULL;
|
||||
len++;
|
||||
if (maxlen && len > maxlen)
|
||||
return NULL;
|
||||
if (bt == 0)
|
||||
break;
|
||||
}
|
||||
p = malloc(len, M_SMBSTR, M_WAITOK);
|
||||
error = copyin(s, p, len);
|
||||
p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK);
|
||||
error = copyinstr(s, p, maxlen + 1, NULL);
|
||||
if (error) {
|
||||
free(p, M_SMBSTR);
|
||||
return (NULL);
|
||||
|
|
Loading…
Reference in a new issue