Module Name: src
Committed By: christos
Date: Tue Oct 3 15:27:10 UTC 2017
Modified Files:
src/sys/netsmb: smb_subr.c
Log Message:
>From FreeBSD:
netsmb: Fix buggy/racy smb_strdupin()
smb_strdupin() tried to roll a copyin() based strlen to allocate a buffer
and then blindly copyin that size. Of course, a malicious user program
could simultaneously manipulate the buffer, resulting in a non-terminated
string being copied.
Later assumptions in the code rely upon the string being nul-terminated.
Just use copyinstr() and drop the racy sizing.
PR: 222687
Reported by: Meng Xu <meng.xu AT gatech.edu>
Security: possible local DoS
Sponsored by: Dell EMC Isilon
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/netsmb/smb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netsmb/smb_subr.c
diff -u src/sys/netsmb/smb_subr.c:1.38 src/sys/netsmb/smb_subr.c:1.39
--- src/sys/netsmb/smb_subr.c:1.38 Fri Jul 28 10:37:27 2017
+++ src/sys/netsmb/smb_subr.c Tue Oct 3 11:27:10 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $ */
+/* $NetBSD: smb_subr.c,v 1.39 2017/10/03 15:27:10 christos Exp $ */
/*
* Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.39 2017/10/03 15:27:10 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -114,20 +114,15 @@ smb_strdup(const char *s)
char *
smb_strdupin(char *s, size_t maxlen)
{
- char *p, bt;
- size_t len = 0;
+ char *p;
+ int error;
- for (p = s; ;p++) {
- if (copyin(p, &bt, 1))
- return NULL;
- len++;
- if (maxlen && len > maxlen)
- return NULL;
- if (bt == 0)
- break;
+ p = malloc(maxlen + 1, M_SMBSTR, M_WAITOK);
+ error = copyinstr(s, p, maxlen + 1, NULL);
+ if (error) {
+ free(p, M_SMBSTR);
+ return NULL;
}
- p = malloc(len, M_SMBSTR, M_WAITOK);
- copyin(s, p, len);
return p;
}
