CVS commit: src/sys/netsmb

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/sys/netsmb
From: "Christos Zoulas" <christos%netbsd.org@localhost>
Date: Tue, 3 Oct 2017 11:27:10 -0400

Module Name:    src
Committed By:   christos
Date:           Tue Oct  3 15:27:10 UTC 2017

Modified Files:
        src/sys/netsmb: smb_subr.c

Log Message:
>From FreeBSD:

netsmb: Fix buggy/racy smb_strdupin()

smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size.  Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.

Later assumptions in the code rely upon the string being nul-terminated.

Just use copyinstr() and drop the racy sizing.

PR:             222687
Reported by:    Meng Xu <meng.xu AT gatech.edu>
Security:       possible local DoS
Sponsored by:   Dell EMC Isilon


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/netsmb/smb_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src
Next by Date: CVS commit: src/sys/arch/arm/dts
Previous by Thread: CVS commit: src
Next by Thread: CVS commit: src/sys/arch/arm/dts
Indexes:

Home | Main Index | Thread Index | Old Index