From a88baed8dd64c3f77ee5070029d305489ad63743 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 7 Jun 2014 21:51:44 -0700 Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset conversions. Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler https://bugzilla.samba.org/show_bug.cgi?id=10654 Signed-off-by: Jeremy Allison CVE-2014-3493 --- source3/lib/charcnv.c | 26 +++++++++++++++++--------- source3/libsmb/clirap.c | 4 ++-- source3/smbd/lanman.c | 4 ++-- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index 71d2c3a..2189812 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -46,9 +46,9 @@ void gfree_charcnv(void) **/ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) { - size_t src_len = strlen(src); + size_t src_len = 0; char *tmpbuf = NULL; - size_t size; + size_t size = 0; bool ret; /* No longer allow a length of -1. */ @@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) smb_panic("malloc fail"); } if (!strupper_m(tmpbuf)) { + if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) && + dest && + dest_len > 0) { + *(char *)dest = 0; + } SAFE_FREE(tmpbuf); - return (size_t)-1; + return 0; } src = tmpbuf; } + src_len = strlen(src); if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) { src_len++; } ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size); - if (ret == false && - (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) - && dest_len > 0) { - ((char *)dest)[0] = '\0'; - } SAFE_FREE(tmpbuf); - return ret ? size : (size_t)-1; + if (ret == false) { + if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) && + dest_len > 0) { + ((char *)dest)[0] = '\0'; + } + return 0; + } + return size; } /******************************************************************** diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c index 036919f..64e3767 100644 --- a/source3/libsmb/clirap.c +++ b/source3/libsmb/clirap.c @@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE|STR_UPPER); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } @@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 1b734a7..0a0ab6b 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn, return 0; } l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; @@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n) return 0; } l = push_ascii(*dst,src,*n, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; -- 1.7.0.4