Date: Fri, 29 Sep 2017 15:53:26 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324102 - head/sys/netsmb Message-ID: <201709291553.v8TFrQbu022220@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Fri Sep 29 15:53:26 2017 New Revision: 324102 URL: https://svnweb.freebsd.org/changeset/base/324102 Log: netsmb: Fix buggy/racy smb_strdupin() smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer and then blindly copyin that size. Of course, a malicious user program could simultaneously manipulate the buffer, resulting in a non-terminated string being copied. Later assumptions in the code rely upon the string being nul-terminated. Just use copyinstr() and drop the racy sizing. PR: 222687 Reported by: Meng Xu <meng.xu AT gatech.edu> Security: possible local DoS Sponsored by: Dell EMC Isilon Modified: head/sys/netsmb/smb_subr.c Modified: head/sys/netsmb/smb_subr.c ============================================================================== --- head/sys/netsmb/smb_subr.c Fri Sep 29 15:13:28 2017 (r324101) +++ head/sys/netsmb/smb_subr.c Fri Sep 29 15:53:26 2017 (r324102) @@ -110,22 +110,11 @@ smb_strdup(const char *s) char * smb_strdupin(char *s, size_t maxlen) { - char *p, bt; + char *p; int error; - size_t len; - len = 0; - for (p = s; ;p++) { - if (copyin(p, &bt, 1)) - return NULL; - len++; - if (maxlen && len > maxlen) - return NULL; - if (bt == 0) - break; - } - p = malloc(len, M_SMBSTR, M_WAITOK); - error = copyin(s, p, len); + p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK); + error = copyinstr(s, p, maxlen + 1, NULL); if (error) { free(p, M_SMBSTR); return (NULL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201709291553.v8TFrQbu022220>