/[base]
ViewVC logotype

Revision 324102


Jump to revision: Previous Next
Author: cem
Date: Fri Sep 29 15:53:26 2017 UTC (5 years, 7 months ago)
Changed paths: 1
Log Message:
netsmb: Fix buggy/racy smb_strdupin()

smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size.  Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.

Later assumptions in the code rely upon the string being nul-terminated.

Just use copyinstr() and drop the racy sizing.

PR:		222687
Reported by:	Meng Xu <meng.xu AT gatech.edu>
Security:	possible local DoS
Sponsored by:	Dell EMC Isilon


Changed paths

Path Details
Directoryhead/sys/netsmb/smb_subr.c modified , text changed

  ViewVC Help
Powered by ViewVC 1.1.27