From owner-freebsd-bugs@freebsd.org Fri Sep 29 14:17:19 2017
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9E42E2DEB2
for <freebsd-bugs@mailman.ysv.freebsd.org>;
Fri, 29 Sep 2017 14:17:19 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
[IPv6:2001:1900:2254:206a::16:76])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id ADCDB679E3
for <freebsd-bugs@FreeBSD.org>; Fri, 29 Sep 2017 14:17:19 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v8TEHJiq020379
for <freebsd-bugs@FreeBSD.org>; Fri, 29 Sep 2017 14:17:19 GMT
(envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 222687] smb_strdupin() does not properly check the length of
string duped-in
Date: Fri, 29 Sep 2017 14:17:19 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: misc
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords:
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: meng.xu@gatech.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution:
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-222687-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 14:17:19 -0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222687
Bug ID: 222687
Summary: smb_strdupin() does not properly check the length of
string duped-in
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: misc
Assignee: freebsd-bugs@FreeBSD.org
Reporter: meng.xu@gatech.edu
In function smb_strdupin(), it first guesses the length of the input string
(by incrementally read and testing for the NULL terminator) and then copyin
the whole string from userspace. However, given that another user thread can
"scramble" the userspace buffer while smb_strdupin() is in execution,
it might result in a case where the string after second copyin is not=20
NULL terminated.
This itself is not yet a very serious issue. However, it does become a bug
later. smb_strdupin() is invoked in smb_usr_t2request() by
t2p->t_name =3D smb_strdupin(dp->ioc_name, 128);
And later in downstream functions=20
smb_t2_request(t2p) --> smb_t2_request_int(t2p)
there is a call to t2p->t_name: nmlen =3D t2p->t_name ? strlen(t2p->t_name)=
: 0
Now if t2p->t_name is not NULL terminated, calling strlen(t2p->t_name)
will cause wield behaviors, such as invalid memory accesses.
--=20
You are receiving this mail because:
You are the assignee for the bug.=