Author: brooks Date: Thu Jun 28 20:33:12 2018 New Revision: 335774 URL: https://svnweb.freebsd.org/changeset/base/335774
Log: MFC r335641: Fix a stack overflow in mount_smbfs when hostname is too long. The local hostname was blindly copied into the to the nn_name array. When the hostname exceeded 16 bytes, it would overflow. Truncate the hostname to 15 bytes plus a 0 terminator which is the "workstation name" suffix. Use defensive strlcpy() when filling nn_name in all cases. PR: 228354 Reported by: donald.buchh...@intel.com Reviewed by: jpaetzel, ian (prior version) Discussed with: Security Officer (gtetlow) Security: Stack overflow with the hostname. Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D15936 Modified: stable/11/contrib/smbfs/lib/smb/ctx.c stable/11/contrib/smbfs/lib/smb/nbns_rq.c Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/smbfs/lib/smb/ctx.c ============================================================================== --- stable/11/contrib/smbfs/lib/smb/ctx.c Thu Jun 28 19:42:10 2018 (r335773) +++ stable/11/contrib/smbfs/lib/smb/ctx.c Thu Jun 28 20:33:12 2018 (r335774) @@ -549,7 +549,9 @@ smb_ctx_resolve(struct smb_ctx *ctx) } nn.nn_scope = ctx->ct_nb->nb_scope; nn.nn_type = NBT_SERVER; - strcpy(nn.nn_name, ssn->ioc_srvname); + if (strlen(ssn->ioc_srvname) > NB_NAMELEN) + return NBERROR(NBERR_NAMETOOLONG); + strlcpy(nn.nn_name, ssn->ioc_srvname, sizeof(nn.nn_name)); error = nb_sockaddr(sap, &nn, &saserver); nb_snbfree(sap); if (error) { @@ -565,7 +567,11 @@ smb_ctx_resolve(struct smb_ctx *ctx) } nls_str_upper(ctx->ct_locname, ctx->ct_locname); } - strcpy(nn.nn_name, ctx->ct_locname); + /* + * Truncate the local host name to NB_NAMELEN-1 which gives a + * suffix of 0 which is "workstation name". + */ + strlcpy(nn.nn_name, ctx->ct_locname, NB_NAMELEN); nn.nn_type = NBT_WKSTA; nn.nn_scope = ctx->ct_nb->nb_scope; error = nb_sockaddr(NULL, &nn, &salocal); Modified: stable/11/contrib/smbfs/lib/smb/nbns_rq.c ============================================================================== --- stable/11/contrib/smbfs/lib/smb/nbns_rq.c Thu Jun 28 19:42:10 2018 (r335773) +++ stable/11/contrib/smbfs/lib/smb/nbns_rq.c Thu Jun 28 20:33:12 2018 (r335774) @@ -74,7 +74,7 @@ nbns_resolvename(const char *name, struct nb_ctx *ctx, if (error) return error; bzero(&nn, sizeof(nn)); - strcpy(nn.nn_name, name); + strlcpy(nn.nn_name, name, sizeof(nn.nn_name)); nn.nn_scope = ctx->nb_scope; nn.nn_type = NBT_SERVER; rqp->nr_nmflags = NBNS_NMFLAG_RD; _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
