Date: Sat, 31 Mar 2018 11:17:04 +0200 From: Harry Schmalzbauer <freebsd@omnilan.de> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r324102 - head/sys/netsmb Message-ID: <5ABF5210.5080904@omnilan.de> In-Reply-To: <201709291553.v8TFrQbu022220@repo.freebsd.org> References: <201709291553.v8TFrQbu022220@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bezüglich Conrad Meyer's Nachricht vom 29.09.2017 17:53 (localtime): > Author: cem > Date: Fri Sep 29 15:53:26 2017 > New Revision: 324102 > URL: https://svnweb.freebsd.org/changeset/base/324102 > > Log: > netsmb: Fix buggy/racy smb_strdupin() > > smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer > and then blindly copyin that size. Of course, a malicious user program > could simultaneously manipulate the buffer, resulting in a non-terminated > string being copied. > > Later assumptions in the code rely upon the string being nul-terminated. > > Just use copyinstr() and drop the racy sizing. > > PR: 222687 > Reported by: Meng Xu <meng.xu AT gatech.edu> > Security: possible local DoS > Sponsored by: Dell EMC Isilon Does anybody want to MFC this one before 11.2? Thanks, -harry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5ABF5210.5080904>